"Condition - User Configured" didn't mean what I thought it did

Hey there Keycloak folks, I just spent about a week trying to understand something that may just be due to a language barrier, but also, could have a way better default example.

In the built-in browser flow, there’s a condition called “Condition - User Configured”

In my brain, I think, “Oh! That’s a place where the user (me) can configure a condition.” I click into the gear and see three blank options. But they’re only an Alias, and a couple of Authenticator References. Nowhere is there a place for me to actually set a logical, boolean condition.

Brains are hard. I was dead set on the fact that somewhere, maybe by writing javascript, or setting up weird Authenticator References elsewhere in keycloak, could I make this a conditional to see if, for example, our username matched a regular expression.

In reading the manual, I found gems like this:

image1012×159 28.6 KB

Which just roadblock the brain trying to comprehend how this all is supposed to work, and sending me down the rabbit hole of “wait, do I need to learn Javascript now?”. “Do I need to read this whole RFC now?”

In the end: none of that would have helped. It turns out that the conditional could have been named better, and my initial read of “user-configured” blocked me from reading this as:

“Conditional - Has User Been Configured?”

(Which is what it actually means)

I don’t know that I need any feedback on this. It’s an already solved problem, and it doesn’t feel worth pushing an issue to rename the conditional, but I’m putting a post here in case anyone else hits the same issue. (Obligatory XKCD reference: xkcd: Wisdom of the Ancients)

Also, I’m sure someone is very proud to have contributed the ability to render authentication flows as a graphviz-like chart, but things like this (which is the default, for a simple flow with only one conditional) do not make things easier to understand.

image382×552 22.2 KB

Specifically, the way the lines run behind the boxes and it’s almost impossible to figure out which line is coming out the sides and bottom of the conditional diamond.

I’m not sure what renderer makes these charts, but I feel like these can be tuned to make this feature more meaningful (but again, doesn’t seem worth a bug report).

And…one more because I’ve had too much coffee. When I click the little gear on the conditional, here are the options I see.

image561×436 13.2 KB

You’ll note that there’s a red star next to the “Alias” value. When you click the tooltip it tells you that this is “the name of the condition” (which is literally the opposite of “Alias”). Every other time I’ve seen a red asterisk in a web-form, it means “this value is required”. But I can cancel or hit okay and not get an error, so what does it mean here?

If the asterisk does mean “required”, this is a stock, built-in flow, why does it not ship with this value populated? You would think that for the base conditions, users would build their own things based on, that this would be the case: setting the best possible examples.

Why is there no tool-tip for that red asterisk that tells me what that thing means if I hover? Why is that value not in the (?) text?

Hello, the helptext of this conditional authenticator is more meaniful than its name. It says “Executes the current flow only if authenticators are configured”.
This condition, used on a subflow, will make the conditional flow execture only if the “configuredFor()” method, of all the authenticators in this conditonal flow, returns true.

Regarding the “Alias” field in an authenticator config, it is mandatory when you want to set a config. In your screenshot, if you wanted to set the “Authenticator Reference” and/or the “Authenticator Reference Max Age”, you would have to set the “Alias” in order to save the config.

That helptext doesn’t show up anywhere that I can click, in the built-in flow, however.

And in fact, as I look at it, there’s no way to individually add the “Condition - user configured” step individually, it looks like I can only add that whole block as a whole 3-part flow.

So I would only see that text, if I were to re-create this flow from scratch, which isn’t very self-explanatory. In the mean time, if I attempt to view this flow, I’m presented with this:

image1236×472 24.7 KB

And even if I add an Alias to the condition, something more descriptive like “User must already exist”, it doesn’t actually show here in this screen. (If it doesn’t show here, where should it show?)

It also looks like it’s not possible to add the single “Condition - user configured” step. It seems like I can only add it as part of adding the Conditional OTP sub-flow.

This is one of those cases of “now that I know that’s how it works, I won’t make that mistake again”. But it definitely threw me for a loop, and that’s sort of my point.

I feel like there’s some assumption of learning this insider knowledge before things “click”.

As I’ve said, I’m not asking a question, just posting an observation here, and putting things there for other people who might stumble across the same experience.

I’ve understand, that is why I wanted to correct what you were saying. Search engines crawl the forum, so I prefer them to crawl right statements and links to documentation instead of crawling partially wrong assumptions.
Even if the admin UI is not clear for you, the Keycloak documentation about condition in flows explains how it works, and how to use it.
I hope “other people who might stumble across the same experience” will read the link to documentation rather than your explanation.