Hello all,
My team and I have implemented a custom magic link authenticator (based on the one here) and have a need to use it as an alternative option to Keycloak’s regular OTP Form.
A simplified version of our flow would look something like this :
The desired outcome here is simple enough in theory : the user either inputs their OTP code or chooses to receive an email with a magic link that logs them in.
In practice though, when the user clicks the magic link, they are always presented with the “OTP Form” page.
For further context : the URL that is sent is built using the AuthenticationFlowContext.getRefreshExecutionUrl() method, to which we append a “key” query parameter. That parameter is then used by the authenticator’s authenticate method to log the user in.
We’ve tried using an action token that redirects the user instead (after taking a look at this post), however that still did not solve the issue.
We have also tried using both of the authenticators mentioned previously (p2-inc’s and richardjkendall’s) within our flow, but the same behavior happens across the board.
Swapping around credential priorities in the admin console also does not seem to help.
Is there something we’re unaware of that’s prioritizing the OTP Form within the flow ?
It seems odd to me that even with the execution ID as a query parameter in the URL, Keycloak always redirects the user to the top execution of the flow regardless.
TL,DR : Is there a way to create a URL that specifically points to a given alternative execution within a flow, or is that in itself a bad approach ?