Uploaded image for project: 'RH-SSO'
  1. RH-SSO
  2. RHSSO-256

Conditional OTP authenticator doesn't work

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • RH-SSO-7.0.0.ER9
    • RH-SSO-7.0.0.ER8
    • None
    • None
    • Hide

      1. create new auth flow
      2. add execution auth-username-password-form and switch requirement to required
      3. add execution auth-conditional-otp-form and switch requirement to required
      4. add config to execution *
      5. bind browser flow to the created flow
      6. try to log in and see expected result **

      *
      a)
      Map<String, String> config = new HashMap<>();
      config.put(DEFAULT_OTP_OUTCOME, SKIP);

      b)
      Map<String, String> config = new HashMap<>();
      config.put(OTP_CONTROL_USER_ATTRIBUTE, "userSkipAttribute");

      and add userSkipAttribute with value "skip" to test user

      **
      OTP Form shouldn't be displayed in both cases but it is

      Show
      1. create new auth flow 2. add execution auth-username-password-form and switch requirement to required 3. add execution auth-conditional-otp-form and switch requirement to required 4. add config to execution * 5. bind browser flow to the created flow 6. try to log in and see expected result ** * a) Map<String, String> config = new HashMap<>(); config.put(DEFAULT_OTP_OUTCOME, SKIP); b) Map<String, String> config = new HashMap<>(); config.put(OTP_CONTROL_USER_ATTRIBUTE, "userSkipAttribute"); and add userSkipAttribute with value "skip" to test user ** OTP Form shouldn't be displayed in both cases but it is

      It seems to me that Conditional OTP form authenticator isn't used or the authenticator doesn't work well. The authenticator org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator should decide in following order:

      1. it should check if user attribute is set, if so it decided whether to require OTP Form ("force") or skip the form ("skip")
      2. analogically - role
      3. request header
      4. default configuration
      5. no default is configured - require OTP

      I have tried just user attribute and default config and it seems to me that the form behaves exactly the same as OTPFormAuthenticator (no conditions are taken to consideration)

      I haven't test the remains conditions.

            Unassigned Unassigned
            vramik@redhat.com Vlasta Ramik
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: