Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Keycloak Flow settings #154

Open
1 task done
Jirvil opened this issue Mar 20, 2023 · 5 comments
Open
1 task done

[Feature] Keycloak Flow settings #154

Jirvil opened this issue Mar 20, 2023 · 5 comments
Assignees
@sventorben
Labels
documentation Improvements or additions to documentation good first issue Good for newcomers question Further information is requested

Comments

@Jirvil
Copy link

Jirvil commented Mar 20, 2023

Is there an existing feature request for this?

  • I have searched the existing issues

Is your feature related to a problem? Please describe.

The description of the Keycloak Flow settings in the documentation is not entirely clear.

Describe the solution you'd like

More detailed explanation of Flow settings.

Describe alternatives you've considered

Default Keycloak Browser Flow contains mixed required and alternative subflows/steps/authenticators, that, as described in documentation, can't be used in conjunction with keycloak-restrict-client-auth. Built-in Browser Flow contains Cookie, IdP and Forms alternatives on top. And you can't just add a keycloak-restrict-client-auth to the bottom of the list and set it as Required.
The solution is not just to create a copy of the built-in Bowser Flow, but to completely rebuild your own flow based on the Browser Flow. You need to create three sub-flows for Cookie, IdP and Forms and add keycloak-restrict-client-auth to each of this subflows.
JItHiHAKas

Anything else?

No response
@Jirvil Jirvil added the enhancement New feature or request label Mar 20, 2023
@sventorben sventorben self-assigned this Mar 20, 2023
sventorben added a commit that referenced this issue Mar 20, 2023
@sventorben
docs: Update configuration instructions
9e3005b 
Relates to #154
@sventorben
Copy link
Owner

Hey @Jirvil,

I know flows can become quite complicated and it may sometimes be a bit cumbersome to configure them. I made some minor changes to the docs, but would like to understand a little better where the exact issue is.

Default Keycloak Browser Flow contains mixed required and alternative subflows/steps/authenticators, that, as described in documentation, can't be used in conjunction with keycloak-restrict-client-auth.

Yes, and it is perfectly fine to do so as long as you do not have them on the same level. Where in the docs do you read that it is not supported?

Built-in Browser Flow contains Cookie, IdP and Forms alternatives on top. And you can't just add a keycloak-restrict-client-auth to the bottom of the list and set it as Required.

Ok, I changed the docs in this regard.

The solution is not just to create a copy of the built-in Bowser Flow

I can't find instructions like that in the docs.

You need to create three sub-flows for Cookie, IdP and Forms and add keycloak-restrict-client-auth to each of this subflows.

No, you do not have to. Please take a look at the example from the docs. It is not needed.

Example Flow

Flows with levels explained

The Keycloak documentation has some good information about how to configure flows: https://www.keycloak.org/docs/21.0.1/server_admin/#_authentication-flows
I do not want to replicate any of that content. With that in mind, what else do you think is missing or unclear?

@sventorben sventorben added documentation Improvements or additions to documentation good first issue Good for newcomers question Further information is requested and removed enhancement New feature or request labels Mar 20, 2023
@Jirvil
Copy link
Author

Jirvil commented Mar 21, 2023
edited
Loading

Hi @sventorben!
Thanks for your answer!

No, you do not have to. Please take a look at the example from the docs. It is not needed.

Your last image (the same one in the documentation) is different (for some reason) from the standard built-in Browser flow. You have a top-level "Login" sub-flow which is missing from the keycloak configuration (at least in my conf). (See image below).
In my Built-in Browser flow there are four Alternatives on top and there no place to correctly put the Required
keycloak-restrict-client-auth. That's why I wrote that it's not enough just to copy the standard browser flow and you need to build your own. I don't think it's very clear from the documentation.
But you are right, the structure may be different, with one common sub-flow and one keycloak-restrict-client-auth.
chrome_iUZMgTHa2r

@DanieleSky
Copy link

@Jirvil same issue for me. I changed my authentication execution flow on DB to not loose all...

@sventorben
Copy link
Owner

@DanieleSky Thank you for your input! Could you clarify what you mean by "changed on DB"? Are you referring to unexpected behavior when saving changes or something specific about how Keycloak handles flow configurations?

Also, could you explain the problem you’re facing in more detail? For example, what’s not working as expected?

Looking forward to your clarification!

@DanieleSky
Copy link

@sventorben as said @Jirvil, in the default browser flow there isn't a sub-flow called "Login". So I added it, but Keycloak doesn't let me move the existing steps into the new sub-flow.
So I changed the references into the table instead of recreating the flow from zero.

Obivious with the new flow always works as expected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sventorben sventorben

Labels
documentation Improvements or additions to documentation good first issue Good for newcomers question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@DanieleSky @sventorben @Jirvil