Before reporting an issue

[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

oidc

Describe the bug

ClientAuthenticationFlow#findExecutionsToRun finds the client authenticators to run for a given flow; if it finds a required authenticator this is used, but if there are multiple alternative authenticators these are added twice.

This is due to the following:
https://github.com/keycloak/keycloak/blob/6fce9c89e4ded2feb79a2e068b4cdba62e87e4fc/services/src/main/java/org/keycloak/authentication/ClientAuthenticationFlow.java#L115-L116

executionsToRun and finalExecutionsToRun are the same list; when it is looping through the list looking the alternative authenticators are added to finalExecutionsToRun (same list as executionsToRun), then they are added again in the following line:
https://github.com/keycloak/keycloak/blob/6fce9c89e4ded2feb79a2e068b4cdba62e87e4fc/services/src/main/java/org/keycloak/authentication/ClientAuthenticationFlow.java#L131

As long as one of the alternative authenticators are successful this doesn't matter, but if no authenticators are successful it results in all authenticators being retried again.

Version

main

Regression

[ ] The issue is a regression

Expected behavior

Alternative authenticators are executed at most one time

Actual behavior

If no authenticators are successful all alternative authenticators are executed twice

How to Reproduce?

Use a client authentication test that is not passing, and observe all alternative authenticators are tried twice

Anything else?

No response