I think our flow is really weird and should be refactored. For instance, we have a hierarchy of classes, one for each auth strategy, and we manually instance the last child class ProviderOAuth2 and then try all strategies one by one by calling super and going up in the hierarchy until a strategy works. Due to this, we can't know from the controller which strategy was really used.

The hierarchy right now is:

ProviderOAuth2 < OAuth2Base < Internal < SSO < Base

This hierarchy is very weird because Internal, which means "User + pass" is not a kind of SSO, and OAuth2 is not a kind of Internal. Not to mention we are calling SSO to something which is merely a token authentication not related at all with any SSO.

In my opinion, we should have an auth service which either infers which strategy to use from the given params, or maybe still try all strategies in a particular order, like we do now, but calling them explicitly and returning an instance of the correct class, so we can at least know which strategy succeeded. Then we could add a captcha? method to the strategy classes that returns whether or not the strategy supports captcha.