Enforce-MFA on 'Registration Flow' does not work

[ToniA]

First of all, thank you for this excellent plugin for supporting user-selectable MFA method. This works beautifully in the 'Browser Flow'.

However, I'm now trying to add it into 'Registration Flow', to support the new 'Organizations' feature invite link, and setting up OTP in the registration step. With exactly the same flow setup (I'm using mrparkers/keycloak with Terraform to script it), I get the registration flow to present the OTP selection dialog ('Please choose an authentication method as a second factor.'). But after the selection, I get an error message 'We are sorry... Registration not allowed'.

Keycloak log says:

keycloak-1           | 2024-11-11 10:05:23,319 WARN  [org.keycloak.events] (executor-thread-111) type="REGISTER_ERROR", realmId="1a000a7b-9eab-45f5-b254-2a6f2a96f7ad", realmName="demo", clientId="null", userId="null", ipAddress="172.18.0.1", error="registration_disabled"

This is my 'Registration Flow':

This very simple 'Registration Flow' with REQUIRED Authenticator App works fine:

[ToniA]

OK, I think I found it. The Organizations 'Invite member' action does not require that the 'Realm settings' -> 'Login' -> 'User registration' is enabled.

However, if the 'Enforce MFA' step is added into the registration flow, the realm-level 'User registration' must be enabled. It looks like the 'session' object doesn't carry the organizations info, and it causes the registration to fail here:

https://github.com/keycloak/keycloak/blob/47dac5ef26499230b7c8fbb713afdfbf505175fe/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java#L794