Is there an existing feature request for this?

• I have searched the existing issues

Is your feature related to a problem? Please describe.

We have to pass by the keycloak form for having the flow works.

Describe the solution you'd like

I would like to be able to use the rest api, submit the email and get the configured identity provider with the domain.

Describe alternatives you've considered

There is no alternatives that i see. Only the keycloak login form.

Anything else?

No response

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

In case you have two or more IDPs restart login button does nothing, just reloads the same page, but can't get to the first screen and change the email.

Expected Behavior

Login flow is restarted

Steps To Reproduce

Setup two IDPs on the same domain and make sure forward to first matched idp is turned off.

Version

- Keycloak:22.0.3
- This extension: 
Manifest-Version: 1.0
Created-By: Maven JAR Plugin 3.3.0
Build-Jdk-Spec: 17
Implementation-Title: Keycloak: Home IdP Discovery
Implementation-Version: 22.0.0
Dependencies: org.keycloak.keycloak-services
Sealed: true

Anything else?

No response

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Alt1.

1. Login to keycloak wth any application
2. Wait until a re-authentication is required (not sure about exact time but about 5 minutes)
3. Trigger a login from a app with a action included ex. kc_action=UPDATE_PROFILE
4. Form is shown with attempted user being the user I'm logged in as and email field is empty
5. User has to enter the username or select the IDP
6. Eventually user gets to the update profile form

Alt2.

1. Login to keycloak wth any application
2. Wait until a re-authentication is required (not sure about exact time but about 5 minutes)
3. Trigger a login from a app with a action included ex. kc_action=UPDATE_PROFILE and include login_hint=myemail
4. Get redirected to 3rd party IDP and then redirected back to Keycloak
5. Update profile form is shown

Expected Behavior

Behavior of Alt1 should be that the user that of Alt2 after step 3 i.e:

1. Login to keycloak wth any application
2. Wait until a re-authentication is required (not sure about exact time but about 5 minutes)
3. Trigger a login from a app with a action included ex. kc_action=UPDATE_PROFILE
4. Get redirected to 3rd party IDP and then redirected back to Keycloak
5. Update profile form is shown

If I don't have a IDP connected to the user and it only has a password it also works as expected, see the following image

Steps To Reproduce

Configure the browser flow to contain the following steps:

• Cookie - Alternative
• Home IdP Discovery - Alternative
  • User attribute: email
  • Forward users with unverified email: true
  • Bypass login page: true
  • Forward to linked IdP: true
  • Forward to first matched IdP: false
• Password Form (used during re-authentiction) - Alternative
• Username Password Form (used during login) - Alternative

Alt1.

1. With a user connected to any 3rd party IdP
2. Login to keycloak wth any application
3. Wait until a re-authentication is required (not sure about exact time but about 5 minutes)
4. Trigger a login from a app with a action included ex. kc_action=UPDATE_PROFILE
5. Form is shown with attempted user being the user I'm logged in as and email field is empty
6. User has to enter the username or select the IDP
7. Eventually user gets to the update profile form

Alt2.

1. With a user connected to any 3rd party IdP
2. Login to keycloak wth any application
3. Wait until a re-authentication is required (not sure about exact time but about 5 minutes)
4. Trigger a login from a app with a action included ex. kc_action=UPDATE_PROFILE and include login_hint=myemail
5. Get redirected to 3rd party IDP and then redirected back to Keycloak
6. Update profile form is shown

Version

- Keycloak: 23.0.4
- This extension: 23.0.0

Anything else?

No response

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

I'm trying to setup IdP initiated SSO with a Google Workspace app to work with Keycloak. Here's the description of the problem in details: https://stackoverflow.com/questions/73568876/google-custom-saml-app-integration-with-keycloak

I've tried contacting Google support but they didn't find any problems on their side.
I'm wondering if Keycloak 17 actually supports this?

Also this issue may be related: https://stackoverflow.com/questions/71545359/idp-initiated-sso-from-google-saml-with-keycloak-as-identity-broker

Is there an existing feature request for this?

• I have searched the existing issues

Is your feature related to a problem? Please describe.

When I enter my email, I get redirected to the idp. Here I have to enter my email again

Describe the solution you'd like

Maybe add the login_hint query param with the already entered email

Describe alternatives you've considered

No response

Anything else?

Thx for the great work

Hi, thanks for putting this out here - it seems to be just what I need, but unfortunately I am not able to get it to work:

I put the keycloak-home-idp-discovery.jar file into /opt/keycloak/providers
(using a docker image build for this, based on quay.io/keycloak/keycloak:version)
As expected a choice for 'home-idp-discovery' is available and I configure it.
No 'Home Idp Discovery" tab shows up for any providers (maybe this is because no domains have been configured yet?)

Then (maybe I am missing something obvious?) when trying to use the admin API to add some domains to an identity provider,

PUT https://admin:8443/admin/realms/myrealm/identity-provider/instances/google
payload = {
"config": {
"home.idp.discovery.domains": domain_list
}
}

I just get 404's . (It wasn't entirely clear to me whether the config needs to be complete with client_id and secret etc, or if only "home.idp.discovery.domains" can be specified without overwriting the rest, but I have tried both without success)

I have added some logging and I see that it seems that no instance of HomeIdpDiscoveryRealmResource is created.
(I am able to use GET with the same URL, but the GET endpoint in HomeIdpDiscoveryRealmResource is not called)
(while I observe that HomeIdpDiscoveryRealmResourceProviderFactory gets instantiated)
Any hints for further debugging/resolving this appreciated!

Is there an existing feature request for this?

• I have searched the existing issues

Is your feature related to a problem? Please describe.

In some situations we might know what the user's domain should be, but not their actual email. For example, we might know they should be logging in to example.com.

It'd be nice to automatically redirect these users to the right provider.

Describe the solution you'd like

The ability to either:

1. Set the login_hint to a domain, e.g. login_hint=example.com
2. Set the hd (like Google), e.g. hd=example.com
3. Set a domain_hint (like Azure), e.g. domain_hint=example.com

Then if it matches a configuration it should take the equivalent action as to if [email protected] was given, although not forwarding on the placeholder@ part.

Describe alternatives you've considered

One workaround is to use login_hint and set it to something like [email protected]. However, this user part is then forwarded onto the provider which doesn't work well with some as the users then need to delete the filled in user part e.g. Google (or forwarding has to be disabled, which also adds friction).

Anything else?

No response

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

https://github.com/sventorben/keycloak-home-idp-discovery/releases/tag/v22.1.0

Trying to login using user who is not associated to any IDP and the user's email Domain is also not configured for any IDP. Getting invalid username password error.

Log

WARN  [org.keycloak.events] (executor-thread-10) type=LOGIN_ERROR, realmId=test-realm, clientId=test, userId=null, ipAddress=172.29.0.1, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=https://www.keycloak.org/app/#url=http://localhost:8080&realm=test-realm&client=test, code_id=9686cabf-e99e-45cf-b9a4-94d7c2fd811c, [email protected]
INFO  [de.sventorben.keycloak.authentication.hidpd.HomeIdpDiscoverer] (executor-thread-14) Could not find home IdP for domain 'gmail.com' and user '[email protected]' in realm 'test-realm'

Expected Behavior

If the user's email's domian is not configured for any IDP as home.idp.discovery.domains then it should display password form to let user login using password from Keycloak

Steps To Reproduce

No response

Version

- Keycloak:22.0.5
- This extension:22.1.0

Anything else?

Is there an existing feature request for this?

• I have searched the existing issues

Is your feature related to a problem? Please describe.

Wondering, is it possible to add an option to get predefined IDPs by OrganizationID for example instead of email domain. It could be a custom form field to enter string value.
This is needed for security reasons, because email domain itself expose data that this particular company is our client and could be targeted by our opponents. Also we expose what IDP that company uses.

Describe the solution you'd like

I'd like to have an option what to use to map IDP: selector by email domain or selector by specific string value from additional field.

Describe alternatives you've considered

No response

Anything else?

No response

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

When activating "Bypass login page" and trying to login without an login_hint, e.g. when signing in with the account console, on a fresh login the username input is already marked with an error without entering anything:

Expected Behavior

On a fresh login without a login_hint the UI should not show an error on initial opening:

-> same behavior as with "Bypass login page" disabled.

Steps To Reproduce

1. Create Flow and tick "Bypass login page"
2. Bind the flow to the browser flow
3. Go to the account console and click sign in

Version

- Keycloak: 21.1.1
- This extension: 21.2.0

Anything else?

No response

Is there an existing feature request for this?

• I have searched the existing issues

Is your feature related to a problem? Please describe.

Currently users with unverified email addresses are not forwarded to a linked IdP. While this may be beneficial in some use cases, it may be cumbersome in others.

see also:

• #247
• #35

Describe the solution you'd like

Add a config option to enable forwarding users with unverified email addresses.

Describe alternatives you've considered

No response

Anything else?

No response

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Everything works normally. I can set domains on idps, show them using the extra theme. All good.

I want to enable the authenticator but it is not shown in the Admin Console.

If this authenticator gets configured as part of a browser based login flow

Makes me expect I can find it there and set it to required...

Expected Behavior

authenticator is shown in the list of authenticators

Steps To Reproduce

Nothing special here

Version

- Keycloak:16.1.1 (updating to 17.0.0 could be hard)
- This extension: Tried 17.0.1 and 16.0.0

Anything else?

Some warnings in log:

ef_docker-keycloak-1  | 18:31:51,529 WARN  [org.jboss.as.dependency.private] (MSC service thread 1-5) WFLYSRV0018: Deployment "deployment.keycloak-home-idp-discovery.jar" is using a private module ("org.keycloak.keycloak-services") which may be changed or removed in future versions without notice.
ef_docker-keycloak-1  | 18:31:52,476 WARN  [org.jboss.weld.Bootstrap] (Weld Thread Pool -- 8) WELD-000167: Class de.sventorben.keycloak.authentication.hidpd.HomeIdpDiscoveryRealmResource$MyAdminRoot is annotated with @RequestScoped but it does not declare an appropriate constructor therefore is not registered as a bean!
ef_docker-keycloak-1  | 18:31:57,677 WARN  [org.keycloak.services] (ServerService Thread Pool -- 65) KC-SERVICES0047: home-idp-discovery (de.sventorben.keycloak.authentication.hidpd.HomeIdpDiscoveryRealmResourceProviderFactory) is implementing the internal SPI realm-restapi-extension. This SPI is internal and may change without notice

None of those seem to be relevant.

The jar seems to be loaded correctly. (Screenshots shows custom build)

Have you got any ideas what cloud cause this? Are all authenticators always shown in that list/configuration UI? Did I missunderstand that the authenticator would show up in the ui?

Cleanup tasks:

• Use official release of keycloak-testcontainers for Keycloak.X once released
  • Remove explicit compatibility test for 15.0.2
  • Remove allowTimestampedSnapshots (revert commit cd27055)
  • Remove custom KeycloakXContainer class
  • Simplify compatibility tests, if possible

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Trying to log in with home idp discovery causes a null pointer exception.

Instance was setup on previous versions and just updated to latest, when bugged appear. Rolling back to 20.0.1 fixes issue.

Expected Behavior

Log in works

Steps To Reproduce

Latest (20.0.3) keycloak with 20.0.2 of home idp discovery
Start login journey
Enter email
Failure presents

Version

- Keycloak: 20.0.3
- This extension: 20.0.2

Anything else?

2023-02-15 10:52:25,045 WARN [org.keycloak.services] (executor-thread-0) KC-SERVICES0013: Failed authentication: java.lang.NullPointerException
at de.sventorben.keycloak.authentication.hidpd.HomeIdpDiscoverer.discoverForUser(HomeIdpDiscoverer.java:38)
at de.sventorben.keycloak.authentication.hidpd.HomeIdpDiscoveryAuthenticator.action(HomeIdpDiscoveryAuthenticator.java:52)
at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:155)
at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:977)
at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:311)
at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:282)
at org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:274)
at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:339)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130)
at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524)
at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474)
at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:192)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:141)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492)
at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261)
at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161)
at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247)
at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73)
at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151)
at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:82)
at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:42)
at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)
at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140)
at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:84)
at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:71)
at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)
at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140)
at io.quarkus.vertx.http.runtime.VertxHttpRecorder$6.handle(VertxHttpRecorder.java:430)
at io.quarkus.vertx.http.runtime.VertxHttpRecorder$6.handle(VertxHttpRecorder.java:408)
at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)
at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140)
at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$0(QuarkusRequestFilter.java:82)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:576)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:829)

Log dump

Is there an existing feature request for this?

• I have searched the existing issues

Is your feature related to a problem? Please describe.

When users register through an identity provider with a managed domain, I would like to ensure that only users with an email domain equal to the configured domain can regsiter via the idp.

Describe the solution you'd like

Implement an AbstractIdpAuthenticator that checks if domains match:

• Load IdentityProviderConfigModel with identityProviderId from SerializedBrokeredIdentityContext
• Wrap the ConfigModel in an IdentityProviderModelConfig
• Read domains from the IdentityProviderModelConfig and match with user email from SerializedBrokeredIdentityContext
• Use DomainExtractor (how to get the config of the HIdPD Authenticator`?)

Describe alternatives you've considered

No response

Anything else?

No response

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Despite the fact that this manifest works for other extensions Keycloak pod keeps crushing when installing keycloak-home-idp-discover with error:

ERROR: Failed to run 'build' command.
ERROR: java.io.IOException: Failed to create a new filesystem for /opt/keycloak/lib/../providers/keycloak-home-idp-discovery.jar
ERROR: Failed to create a new filesystem for /opt/keycloak/lib/../providers/keycloak-home-idp-discovery.jar
ERROR: zip END header not found

Expected Behavior

Properly install extension are start working.

Steps To Reproduce

1. Install keycloak operator version 21.1.1
2. Apply manifest

apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
  name: keycloak-cluster
  namespace: my-namespace
spec:
  additionalOptions:
    - name: health-enabled
      value: 'true'
    - name: metrics-enabled
      value: 'true'
    - name: log-level
      value: info,org.keycloak.events:trace
    - name: proxy
      value: edge
  db:
    passwordSecret:
      key: pg-password
      name: keycloak-postgres-database-postgres-secret
    schema: public
    url: >-
      jdbc:postgresql://postgres-cluster-primary.my-namespace.svc:5432/keycloak
    usernameSecret:
      key: pg-username
      name: keycloak-postgres-database-postgres-secret
    vendor: postgres
  hostname:
    admin: keycloak.example.com
    hostname: keycloak.example.com
    strict: false
  http:
    httpEnabled: true
  ingress:
    enabled: false
  instances: 1
  unsupported:
    podTemplate:
      metadata:
        labels:
          instance: keycloak-cluster
      spec:
        containers:
          - name: keycloak
            volumeMounts:
              - mountPath: /opt/keycloak/providers
                name: providers
        initContainers:
          - command:
              - sh
              - '-c'
              - >-
                curl 
                https://github.com/sventorben/keycloak-home-idp-discovery/releases/download/v21.3.0/keycloak-home-idp-discovery.jar
                --output
                /opt/keycloak/providers/keycloak-home-idp-discovery.jar
            image: curlimages/curl:8.00.1
            name: extension1
            volumeMounts:
              - mountPath: /opt/keycloak/providers
                name: providers
        volumes:
          - emptyDir: {}
            name: providers

Version

- Kyecloak operator: 21.1.1
- Keycloak: 21.1.1
- This extension: tried version 21.2.1 and 21.3.0

Anything else?

Problem is also present on docker with current version:

curl https://github.com/sventorben/keycloak-home-idp-discovery/releases/download/v22.0.0/keycloak-home-idp-discovery.jar --output keycloak-home-idp-discovery.jar

version: '3'
services:
  keycloak:
    container_name: keycloak
    image: quay.io/keycloak/keycloak:22.0.3
    environment:
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: admin
      DEBUG_PORT: '*:8787'
      DEBUG: 'true'
    command: ['start-dev', '--debug', '--import-realm']
    ports:
      - 8080:8080
      - 8443:8443
      - 8787:8787
    volumes:
    - ./keycloak-home-idp-discovery.jar:/opt/keycloak/providers/keycloak-home-idp-discovery.jar

Is there an existing feature request for this?

• I have searched the existing issues

Is your feature related to a problem? Please describe.

in some cases we have applications that already ask a user for their e-mail address before forwarding them to our keycloak instance.
We use the login_hint query param so that users don't have to fill in their e-mail address twice, but still they will see a login screen on which they need to submit their e-mail.

Describe the solution you'd like

it would be nice (I think) that the plugin just tries to authenticate based on the login_hint.

For BC reasons it may be nice to create a setting for this

• tryToAuthenticateBasedOnLoginHint (or something link that)

or maybe to allow an extra query param to enforce authenticating based on the login_hint

Describe alternatives you've considered

No response

Anything else?

No response

Is there an existing feature request for this?

• I have searched the existing issues

Is your feature related to a problem? Please describe.

We are providing decentralised servers to our customers. One pain point is that our customer needs to know the domain to connect. We are looking into options of how to solve this user-flow problem. One idea is to provide a central keycloak idp the app will always use to ask for the correct domain. By using your great package this is seems to be partly solved, as the user will enter their corporate-email and then gets redirected to the correct idp/realm to connect if the domain like @corporate.com is correct.

Hoewever, we also have users who are using email addresses with domains like [email protected]. At this stage the routing will not work, as there would be more than one idp with @gmail.com domain.

Describe the solution you'd like

Is it possible to add full email addresses to the idp discovery, so that

• [email protected] gets routed to teamofuser1.idp.example.com
• [email protected] gets routed to teamofuser2.idp.example.com

Thanks a lot for your help

Describe alternatives you've considered

No response

Anything else?

No response

Is there an existing feature request for this?

• I have searched the existing issues

Is your feature related to a problem? Please describe.

Hello, it's not an issue or feature request, I'm just wondering how many domains I could use on single idp.
I have use-case where I need to have let's say 200-300 domains. How will it handle? Maybe you did some performance tests or have clue what will happen in that case?

Describe the solution you'd like

No response

Describe alternatives you've considered

No response

Anything else?

No response

I have added it into my keycloak as provider & configure provided steps as well. Now I am not sure how to use it. is it expected to work directly after this? by this I mean once I land to login page it will only show username/email field & worked further as expected?

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

With a very simple auth flow:

Home IdP Discovery   Alternative
Password Form        Alternative

When a user enters an unregistered email address, he immediately gets "Invalid username or password."
See in video:
Screencast from 2023-12-12 01-04-02.webm

Expected Behavior

The best thing would be to use the Username Password Form with pre-filled username (and password if it got autofilled by a password manager) instead of using the Password Form.
Seems like it's currently possible with this auth flow:

Home IdP Discovery    Required
Generic subflow "sub"
  Username Password Flow    Required 

The issue then is that the username is not pre-filled:

Steps To Reproduce

No response

Version

- Keycloak: 22.0.4
- This extension: 22.0.0 (EDIT: NOT 22.1.0)

Anything else?

No response

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

I have a user that I have configured in keycloak with username/password

I try to login with the default auth flow (browser) and it works fine, but when I enable the new flow that includes home idp discovery I get the error message:

Invalid username or password

Expected Behavior

I expect to get the chance to type in the password for the user and be logged in normally.

Steps To Reproduce

No response

Version

No response

Anything else?

No response

Is there an existing feature request for this?

• I have searched the existing issues

Is your feature related to a problem? Please describe.

There are several requests and discussion to support different ways to discover the home idp.

• based on the URL / domain
  • #228
• based on organizational information like organizational membership
  • #189
  • #96
  • p2-inc/keycloak-orgs#83

Describe the solution you'd like

An SPI to replace the HomeIdpDiscoverer and have different implementations available would be neat. This should be configurable per authenticator instance so that at least each realm can be configured differently.

Describe alternatives you've considered

No response

Anything else?

The SPI should be build in a relatively stable way to allow others to implement their own logic.

This will make this project more like an API others can program against (library) and not simply an extensions others can install and configure anymore. Need to check the implications on maintainability, effort, and things like versioning and provisioning.

Open questions:

• Do we need custom login pages or forms (e.g. to input an organization Id)?

Is there an existing feature request for this?

• I have searched the existing issues

Is your feature related to a problem? Please describe.

With Keycloak 19 the new admin console became the default and the old one got deprecated.

Describe the solution you'd like

Update all screenshots in the README to reflect changes in the new admin console.

Describe alternatives you've considered

No response

Anything else?

No response

Hey,
How can I set the authentication flow to automatically set existing users without asking users to add existing accounts or review profiles?
Steps:

1. Create a user with email([email protected]) and set a password
2. Login with email and password
3. Add identity provider and set home identity discovery with email domain gmail.com
4. Try to log in with the same email([email protected])

Actual result:
After adding an email, it is redirected to login with Google, and after successful login in to google it is asking the user to add an existing account or review profile like below:

Expected results
After login with Google user should be set to existing user.

I sent the authentication flow as below and bind it with my public client, but it is not working.

Can you please help here how we can configure the authentication flow to achieve this kind of behavior?

Is there an existing feature request for this?

• I have searched the existing issues

Is your feature related to a problem? Please describe.

I had the issue that my authentication flow worked in the first run, but I was not able to login after logout. I received the console error. I guess I spent too much time for debugging as I'm new to keycloak, but the reason for this issue was that the email address was not validated.

keycloak    | 2023-01-10 14:53:08,218 WARN  [de.sventorben.keycloak.authentication.hidpd.HomeIdpDiscoverer] (executor-thread-217) Could not extract domain from email address [email protected]
keycloak    | 2023-01-10 14:53:08,218 WARN  [org.keycloak.services] (executor-thread-217) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException
keycloak    |   at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:983)
keycloak    |   at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:311)
keycloak    |   at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:282)
keycloak    |   at org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:274)
keycloak    |   at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:339)
keycloak    |   at jdk.internal.reflect.GeneratedMethodAccessor599.invoke(Unknown Source)
keycloak    |   at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
keycloak    |   at java.base/java.lang.reflect.Method.invoke(Method.java:566)
keycloak    |   at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170)
keycloak    |   at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130)
keycloak    |   at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660)
keycloak    |   at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524)
keycloak    |   at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474)
keycloak    |   at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
keycloak    |   at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476)
keycloak    |   at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434)
keycloak    |   at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:192)
keycloak    |   at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:141)
keycloak    |   at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32)
keycloak    |   at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492)
keycloak    |   at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261)
keycloak    |   at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161)
keycloak    |   at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
keycloak    |   at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164)
keycloak    |   at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247)
keycloak    |   at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73)
keycloak    |   at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151)
keycloak    |   at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:82)
keycloak    |   at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:42)
keycloak    |   at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
keycloak    |   at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)
keycloak    |   at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140)
keycloak    |   at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:84)
keycloak    |   at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:71)
keycloak    |   at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
keycloak    |   at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)
keycloak    |   at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140)
keycloak    |   at io.quarkus.vertx.http.runtime.VertxHttpRecorder$6.handle(VertxHttpRecorder.java:430)
keycloak    |   at io.quarkus.vertx.http.runtime.VertxHttpRecorder$6.handle(VertxHttpRecorder.java:408)
keycloak    |   at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
keycloak    |   at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)
keycloak    |   at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140)
keycloak    |   at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$0(QuarkusRequestFilter.java:82)
keycloak    |   at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:564)
keycloak    |   at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449)
keycloak    |   at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478)
keycloak    |   at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
keycloak    |   at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
keycloak    |   at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
keycloak    |   at java.base/java.lang.Thread.run(Thread.java:829)

Describe the solution you'd like

I think this code line is not run. Haven't checked how to solve it and wanted to ask first. If wanted I can offer to investigate further.

Describe alternatives you've considered

No response

Anything else?

Thanks for your Keycloak Plugin! :-)

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

• Configure authenticator (Home IDP discovery)
• Add Identity providers
• Add email domain for identity providers using REST api. GET result shows it gets updated correctly <"home.idp.discovery.domains">.
• Now go to Admin UI, identity-providers configuration.
• Change any setting
• Save new settings.
• Do GET on identity providers api, Now email domain configuration <"home.idp.discovery.domains"> gets disappear.

Expected Behavior

• <"home.idp.discovery.domains"> configuration should be removed when modification is done on identity providers configuration using UI.

As it is known that , extension is not supported for new Admin console. this could be the reason.

Steps To Reproduce

No response

Version

- Keycloak:
- This extension:

Anything else?

No response

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

When installing home dip in the latest version, it is possible to select under realm settings -> themes -> admin ui theme.
When selected on master realm, the admin console is broken and you have to manually change it in DB.

Expected Behavior

That "home-idp-discovery" is no longer selectable as admin ui theme.

Steps To Reproduce

1. start Keycloak in v22.0.1
2. insert provider in 22.0.0
3. go to admin ui
4. go to master realm
5. realm settings
6. themes
7. select "home-idp-discovery" at "Admin UI theme"
8. refresh page, error occurs

Version

- Keycloak: 22.0.1
- This extension:22.0.0

Anything else?

theme json is still present, deleting this, should fix the issue: https://github.com/sventorben/keycloak-home-idp-discovery/blob/main/src/main/resources/META-INF/keycloak-themes.json

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

I created a new authentication flow this way:

This works as expected showing by default the standard username + password form and allows changing to use Home IdP Discovery using the "Try another way" link:

The problem is that when I click that link this is what I see:

As you can see the first option includes a user friendly description but the second one not.

Are that strings "home-idp-discovery-display-name" and "home-idp-discovery-help-text" supposed to be customized by applying some configuration or is something missing in this project that needs to be addressed?

Expected Behavior

Seeing a user friendly explanation like for the username and password option.

Steps To Reproduce

No response

Version

- Keycloak: 20.0.2
- This extension: 20.0.1

Anything else?

No response

I need help to preconfigure the config within realms export json file. Please advice.

Thank you.

Is there an existing feature request for this?

• I have searched the existing issues

Is your feature related to a problem? Please describe.

I'd like to be able to extend HomeIdpDiscoveryAuthenticator and/or reuse static methods. However, the class is final and the static methods are private. I have a slightly different use case where I'd like to control/render the form from a different authenticator, set the ATTEMPTED_USERNAME in an auth note, and then run this without rendering a form.

Describe the solution you'd like

Make HomeIdpDiscoveryAuthenticator non-final and make its static methods public.

Describe alternatives you've considered

Forking the code, or cut'n'paste.

Anything else?

No response

Is there an existing feature request for this?

• I have searched the existing issues

Is your feature related to a problem? Please describe.

When user registration is enabled in Keycloak, a user can create an account using a email address whose domain is associated with an IdP for discovery.

This means they set a Keycloak password during registration, but when they try to login using their email address in the future, they will be redirected to the IdP.

Describe the solution you'd like

The current experience is something like this:

It would be nice to support something like this:

In particular:

• The user must enter their email address before being able to register, so that it can be checked for IdP discovery
• The user cannot amend their email address during registration

Describe alternatives you've considered

No response

Anything else?

I am fairly new to Keycloak, so am unsure how much of this can be achieved already by configuring existing flows and editing templates.

There are probably some related complexities if a user can edit their profile in Keycloak and change their email address to/from one with a domain associated with an IdP.

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

The current behaviour makes it easy to discover which email exists in Keycloak.

When this SPI is set up correctly, the first login screen only shows an email field. If you enter an email and press enter, what should happen is:

1. the email domain matches a configured IDP -> the user gets redirected to the IDP (all good)
2. the email doesn't match a configured IDP. In this case, a new form appears asking you for a password.

The problem arises in the use-case number (2). If you enter a valid email (case a), that is an email that matches a user in the system, you get this view:

But if you enter an unknown email (case b), something that doesn't match any user in the system, the view is different:

This makes it easy for attackers to discover the registered emails present on keycloak.

Expected Behavior

Ideally, case a should be the expected behaviour, whether the user exists on the system or not.

I believe the problem is introduced with the line https://github.com/sventorben/keycloak-home-idp-discovery/blob/main/src/main/java/de/sventorben/keycloak/authentication/hidpd/HomeIdpDiscoveryAuthenticator.java#L115 (context.setUser).

Steps To Reproduce

Setup:

1. Add the home-idp-discovery spi
2. copy the builtin browser flow, and add the "Home Idp Discovery" before the "browser forms":

Now, try to login to keycloak using the keycloak theme, once with a valid email, once with a random one.

Version

- Keycloak: 22.0.4
- This extension: 22.0.0

Anything else?

No response

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Hi and thanks for the module.
I've installed the module and configured it as shown in the README.md.
Here is my authentication flow :

I've added configured it as the default Browser flow of my realm.
Whenever I try to reach the login page, I get the following error page :

When I check the logs, this is what I get :
2023-04-25 10:02:59,292 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-23) Uncaught server error: java.lang.NoSuchMethodError: 'org.jboss.resteasy.spi.HttpRequest org.keycloak.authentication.AuthenticationFlowContext.getHttpRequest()' at de.sventorben.keycloak.authentication.hidpd.AuthenticationChallenge.challenge(AuthenticationChallenge.java:25) at de.sventorben.keycloak.authentication.hidpd.HomeIdpDiscoveryAuthenticator.authenticate(HomeIdpDiscoveryAuthenticator.java:34) at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:445) at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:271) at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:1025) at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:887) at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:153) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:363) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:219) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.access$300(AuthorizationEndpoint.java:69) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint$1.runInternal(AuthorizationEndpoint.java:140) at org.keycloak.common.util.ResponseSessionTask.run(ResponseSessionTask.java:67) at org.keycloak.common.util.ResponseSessionTask.run(ResponseSessionTask.java:44) at org.keycloak.models.utils.KeycloakModelUtils.runJobInRetriableTransaction(KeycloakModelUtils.java:299) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.processInRetriableTransaction(AuthorizationEndpoint.java:132) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:117) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130) at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524) at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474) at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:192) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:152) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:183) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:141) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161) at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247) at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73) at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151) at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:82) at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:42) at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284) at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173) at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140) at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:84) at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:71) at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284) at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173) at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140) at io.quarkus.vertx.http.runtime.VertxHttpRecorder$6.handle(VertxHttpRecorder.java:430) at io.quarkus.vertx.http.runtime.VertxHttpRecorder$6.handle(VertxHttpRecorder.java:408) at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284) at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173) at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140) at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$0(QuarkusRequestFilter.java:82) at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:576) at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478) at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29) at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29) at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) at java.base/java.lang.Thread.run(Thread.java:833)
My version of Keycloak is 21.0.2 and I'm using the 21.0.1 release of the module. Is it the reason why I get this error ? Would the 21.1.0 version works, or should I upgrade my Keycloak version ?

Thanks !

Expected Behavior

I should be redirected to the login page with a username/password form.

Steps To Reproduce

No response

Version

- Keycloak: 21.0.2
- This extension: 21.0.1

Anything else?

No response

Is there an existing feature request for this?

• I have searched the existing issues

Is your feature related to a problem? Please describe.

It's really rare case, but I have few clients and they have two IDP providers in the company. I love this extension, it's exactly what I wanted long time ago.

Describe the solution you'd like

So, as a user I'd like to choose IDP when domain has more than one IDP mapped. Is it possible?

Describe alternatives you've considered

I tried to use only one idp per domain and use Identity Provider Redirector, but the problem is that fallback idp should be different based on domain. So this doesn't work for me.
I have a lot of companies (b2b clients) integrated in our Keycloak instance, that's why I'm requesting this feature.

Anything else?

No response

Is there an existing feature request for this?

• I have searched the existing issues

Is your feature related to a problem? Please describe.

With Keycloak 19 the new admin console became the default and the old one got deprecated.

Describe the solution you'd like

• Remove the current theme used to show configured email addresses
• Add a theme to configure email addresses via the new admin console
• Update readme accordingly
• Update screenshots

Describe alternatives you've considered

No response

Anything else?

No response

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

A user can login via the discovered IDP on first login successfully,

However, once the user has been created in the 'test-realm' subsequent login fails on 'Invalid username or password.'

The user is not given the opportunity to enter a password either on the test realm or the linked idp.

Expected Behavior

User can login

Steps To Reproduce

1. as admin create a user in IDP e.g. [email protected]
2. as user browse to http://localhost:8080/admin/test-realm/console
3. enter [email protected] to be redirected to idp realm
4. enter password - user authenticates successfully and is redirected back to test-realm, user is created in test-realm
5. logout of test-realm
6. try to login again using same user
7. shows error message

Version

- Keycloak:
- This extension:

Anything else?

No response

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

An internal server error has occurred

Expected Behavior

Log on theme does not display but

Steps To Reproduce

No response

Version

- Keycloak:
- This extension:

Anything else?

No response

Is there an existing feature request for this?

• I have searched the existing issues

Is your feature related to a problem? Please describe.

We have situation where user would like to see assigned IdP to the email instead of instant redirection.
I know, it sounds a bit weird, but for example: IdP temporary stopped working and users can't choose use password (or another method) instead.

private void redirectOrChallenge(HomeIdpAuthenticationFlowContext context, String username, List<IdentityProviderModel> homeIdps) {
        if (homeIdps.size() == 1 || context.config().forwardToFirstMatch()) {
            IdentityProviderModel homeIdp = homeIdps.get(0);
            context.loginHint().setInAuthSession(homeIdp, username);
            context.redirector().redirectTo(homeIdp);
        } else {
            context.authenticationChallenge().forceChallenge(homeIdps);
        }
    }

I'm not a Java developer, but I think instead of hardcoded size count here flag could be used. What do you think?

Describe the solution you'd like

Flag which could be used instead of homeIdps.size() == 1

Describe alternatives you've considered

Create second fake IDP and hide it on the frontend, which is too hacky.

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

When I open the Keycloak login page with the following link: https://[KEYCLOAK HOST]/realms/[REALM]/protocol/openid-connect/auth?client_id=[CLIENT ID]&state=[...]&redirect_uri=[...]&response_type=code&scope=openid there is no "Try Another Way" link in order to login normally instead of using SSO.

This is the snippet with this link from login page template of Keycloak:

<#if auth?has_content && auth.showTryAnotherWayLink()>
              <form id="kc-select-try-another-way-form" action="${url.loginAction}" method="post">
                  <div class="${properties.kcFormGroupClass!}">
                      <input type="hidden" name="tryAnotherWay" value="on"/>
                      <a href="#" id="try-another-way"
                         onclick="document.forms['kc-select-try-another-way-form'].submit();return false;">${msg("doTryA
notherWay")}</a>
                  </div>
              </form>
          </#if>

I suspect that the condition may be false but what's may be the reason and how this extension could be related?

Expected Behavior

The "Try Another Way" link to be shown as described in the readme

Steps To Reproduce

No response

Version

- Keycloak: 19.0.1
- This extension: 18.0.0

Anything else?

Is there an existing feature request for this?

• I have searched the existing issues

Is your feature related to a problem? Please describe.

Having a login page with only an email is more and more used, but not uniformly enjoyed by end users. An alternative is the use of a 3-steps process with the help of an "SSO" button. The idea would be to allow both flows: current and 3-steps.

Describe the solution you'd like

More precisely, in the 3-steps process the sign in page would look like:

If the user clicks on "Use SSO", he is redirected to a form with only the email field available (same as what we do now).

Examples:

• https://prowritingaid.com/en/Account/Login2
• https://control.divio.com/
• https://sentry.io/auth/login/ (a bit different, but same idea)

Describe alternatives you've considered

I am not sure it is feasible with the current implementation.

Anything else?

Thanks for this amazing work.

Is there an existing feature request for this?

• I have searched the existing issues

Is your feature related to a problem? Please describe.

Assume a user has a home IdP associated either via configured domain per IdP or an IdP with associated email is linked to user's account. In such a scenario users may not need credentials, because they are authenticated by the home IdP. In these scenarios it may be benefical to prohibt resetting credentials for users to prevent them from logging in locally.

Note that users without a home IdP that have a local account should still be able to reset credentials.

Describe the solution you'd like

I see two options here:

• prevent users with a home IdP from login with local credentials
  • via conditional authenticator to check if user has home IdP and use "deny access" in such a flow to deny login with local credentials
  • via custom authenticator
• prevent credential reset via a custom authenticator in reset credential flow
  • via conditional
  • via custom authenticator

I think this still needs more clarification on what is needed (prevent password reset or prevent login with local account).

Describe alternatives you've considered

No response

Anything else?

See also:

• #166
• #263

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Hi, i configured the Home IdP Discovery version 20.0.3 on a Keycloak 20.0.5 and works well, but the Remember Me flag doesn't work anymore. If i use the standard browser flow it works after browser restarting.
My custom flow with the Idp Discovery is a copy of the standard browser flow.

Thanks
Riccardo

Expected Behavior

I'm expecting that when i open again my browser, if the Remember Me session is not expired, i directly log in my application

Steps To Reproduce

1. Configure Idp Discovery Flow
2. Enable Remeber Me flag in Realm Settings -> Login
3. Increase the SSO Remember Me Session
4. Log in with Keycloak with Remember Me flag active
5. Close Browser
6. Open Browser again and connect to the application. Keycloak need the login again

Version

- Keycloak:20.0.5
- This extension: 20.0.3

Anything else?

No response

Is there an existing feature request for this?

• I have searched the existing issues

Is your feature related to a problem? Please describe.

Placeholder to support the Keycloak’s Organization Feature coming with KC 25.

keycloak/keycloak#23948 (comment)

Describe the solution you'd like

No response

Describe alternatives you've considered

No response

Anything else?

No response

Is there an existing feature request for this?

• I have searched the existing issues

Is your feature related to a problem? Please describe.

Many organizations are unable to bring in code that doesn't have an explicit license.

Describe the solution you'd like

Please add an explicit license so that organizations and others that may want to utilize this functionality can do so! (We'd also be willing to contribute back some functionality as well)

Describe alternatives you've considered

N/A

Anything else?

N/A

Is there an existing feature request for this?

• I have searched the existing issues

Is your feature related to a problem? Please describe.

Hi - this module looks perfect for a requirement i have, however the difference being that some users who do not belong to a corporate SSO (with a known email domain) would still require authentication.

these users may have personal email addresses @gmail.com or @hotmail.com etc.

however, the business would still like to manage the user accounts.

Describe the solution you'd like

I think that maybe you do not want the user to authenticate direct in the realm, as you have removed the password field.

So a suggestion might be to have another realm as default - this realm can be configured for public registrations etc or as required by the business use case.

e.g.
UserModel user = context.getUser();

final Optional homeIdp = discoverHomeIdp(context, user, username);

if (homeIdp.isEmpty()) {
new Redirector(context).redirectTo("a default realm");
} else {
new Redirector(context).redirectTo(homeIdp.get());
}

Describe alternatives you've considered

No response

Anything else?

I'm happy to contribute to the effort :)

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Maven can't resolve this package using the coordinates on this page https://github.com/sventorben/keycloak-home-idp-discovery/packages/1112199?version=19.1.0

Expected Behavior

Maven to be able to download this package

Steps To Reproduce

1. add the folowing to pom.xml

    <dependency>
        <groupId>de.sventorben.keycloak</groupId>
        <artifactId>keycloak-home-idp-discovery</artifactId>
        <version>19.1.0</version>
    </dependency>
   

2. unable to resolve (happens with most recent version as well)

Version

- Keycloak: 19.0.3
- This extension: 19.1.0

Anything else?

No response