I’m not sure if this is a bug, but it does seem like one. Keycloak version 26.5.0
I’m trying to achieve what is documented here, of optionally having a OTP form after idP login for some providers: Post login flow
The thing is, as soon as I configure a new flow and attach it to the “post login flow” of the idP provider, it always display an invalid username/password error message.
This happen even when the flow is empty and has zero steps, so it’s not the OTP form causing the problem.
When I leave the “post login flow” field of the idP provider empty, the user is accepted and redirected to the application with no issue.
This also happen both on new user, or existing ones. If it’s a new user, I do see the user getting created in the keycloack user list, so the “first broker login” step does execute correctly first.
Dont know if this is the right solution. I was having the same issue and didn’t find any solutions, so i’ve started playing around. Once tryied explicitly adding an execution of “allow access“ in the flow, it worked.
My use case was generating a WhiteList Access flow. So i’ve created a Post Login Flow, and inside i’ve created 2 subflows (conditionals):
WhiteList Denial: With 1 condition required (user_has_role negated) and followed by 1 execution (deny access)
WhiteList Access: With 1 condition (user_has_role) and followed by 1 execution (allowed access)
Can you just add the OTP condition in your regular flow and leave post login flow empty?
I mean you can add Conditional OTP form ti your flow, and you can add conditions what need to be meet to get OTP, in my case I have custom logic based on User Federation, but if you are using KC users that would be even easier. You can add conditions based on user attribute or role….
I didn’t use post login flow recently, maybe 2 years ago, and I remember there is no issue like this. In there I had just one custom required step checking some vlaues…
As the OP has written, it’s about adding additional auth options to users authenticating through an external IdP. With this, you have to use the post login flow.
The regular browser flow runs before the user is redirected to the external IdP for authentication. After the user has authenticated externally, the user does not come back to the browser flow, thus you have to use the post login flow.
However, I’ve not experienced the described behavior when using a post login flow with external IdP.
If you think, this is an error in Keycloak, please open an issue at the Keycloak GitHub repository. Try to reproduce the behavior with the nightly build and provide the steps to reproduce in the issue, so the team has a chance to reproduce it. Thanks.
I unfortunately had a change of priorities and can’t spend too much time to test different in-depth possibilities for now, but I’ll come back to this project next month.
The message from EvanHarvey about adding the required action of “configure totp” to get the form working make sense. But I’m unsure how to set it only for users part of a certain idP or not. As far as I can see, it’s a “default action” that need to be set on ALL new users of the realm, or not.