Create authentication flow along with steps/executions in the command line

Getting advice
1

Hello,

I’m trying to create an authetication flow using kcadm.sh and the following json:

{
  "alias" : "first-login-custom-test",
  "description" : "",
  "providerId" : "basic-flow",
  "topLevel" : true,
  "builtIn" : false,
  "authenticationExecutions" : [ {
    "authenticator" : "idp-create-user-if-unique",
    "authenticatorFlow" : false,
    "requirement" : "ALTERNATIVE",
    "priority" : 1,
    "autheticatorFlow" : false,
    "userSetupAllowed" : false
  }, {
    "authenticator" : "idp-auto-link",
    "authenticatorFlow" : false,
    "requirement" : "ALTERNATIVE",
    "priority" : 2,
    "autheticatorFlow" : false,
    "userSetupAllowed" : false
  } ]
}

The exact command is:

./kcadm.sh create authentication/flows -r my_realm -f first_login_custom_flow.json

This unfortunately results in the creation of an empty flow (the executions are just ignored). Any ideas how I can get this working?

For some weird reason, the documentation is lacking (Server Administration Guide) and it explains only how to list authentication flows or update executions (adding configurations to an execution). I don’t understand why it’s so specific and it doesn’t explain the more common cases of creating flows with executions.

Any ideas how I can get this working? I feel like I’m confessing to a priest in this forum, the only difference being that I’m both the sinner and the priest, as I answer all my questions myself eventually, but I guess rubbing a duck (and something else too) is better than nothing, as long as there’s an imaginary public.

2

I’ve come across this somewhat random link which gets me a little bit closer to what I’m expecting, but unfortunately it ignores the requirement field (probably other fields too, but I can’t really tell what’s default and what I’m actually setting):

This is the json file with the execution/step:

{
    "providerId" : "idp-create-user-if-unique",
    "displayName": "Create User If Unique",
    "authenticatorFlow" : false,
    "requirement" : "ALTERNATIVE",
    "priority" : 0,
    "configurable": true
}

And this is what I’m running:

./kcadm.sh create authentication/flows/first-login-custom-test/executions/execution -r my_realm -s provider=idp-create-user-if-unique -f step1_login.json

So the provider parameter does seem to make it work in that the step is created, but I’m unable to set the requirement parameter.

Actually I can add whatever random parameter and Keycloak will happily ignore it. It’s a little bit of a mess to be honest:

./kcadm.sh create authentication/flows/first-login-custom-test/executions/execution -r my_realm -s provider=idp-create-user-if-unique -s crap=shit -f step1_login.json
3

Ok, I’ve come across this:
https://marc.info/?l=keycloak-user&m=154803749634031&w=2

So it seems that it’s well-known that Keycloak does ignore the requirement parameter (and probably the other things set in the json content).
This is getting really daunting.

4

The really fun part is the consistency of the API. I thought I had found a solution to this issue which wasn’t a complete atrocious hack, but I couldn’t even have sthis small concession.

When creating a step with “idp-create-user-if-unique”, the output is just the id itself. I can assign that to a bash variable and I can get the id directly:

./kcadm.sh create authentication/flows/first-login-custom-test/executions/execution --id -r my_realm -s provider=idp-create-user-if-unique
029a2e75-941b-4119-a9f2-842055800769

If, on the other hand, if I create a “idp-auto-link” step (Automatically set existing user), the output is:

/opt/keycloak/bin/kcadm.sh create authentication/flows/first-login-custom-test/executions/execution -r my_realm -s provider=idp-auto-link
Created new execution with id 'cf567aca-b682-4188-a2d5-920f7e26ede7'

Really nice :slight_smile:

So I’m parsing this with awk, adding this at the end:

awk -F "'" '{ print $2}'

Very elegant, indeed. It’s the least worse thing I could come up with…

5

Actually this part was a misunderstanding from me.
The key point here is the --id option. Adding it outputs only the id and this is what I need to avoid further parsing.