xgp
commented
2 years ago This won't work in the current implementation. Sending a request to a remote IdP requires a continuous authentication session. The magic link functionality doesn't maintain the session (even in the same browser) following the click on the email link.
Perhaps as an alternative, could you keep the magic link username form and authenticator in your forms set as ALTERNATIVE so that the user could click "Try another way" rather than doing it in another Realm as a remote IdP?
fabio-pereira-ubc
We are testing the keycloak-magic-link, and everything is fine when we use that in a browser flow in an IDB realm that the application connects to validate the user, as in the image below.
But in our scenario, we need to provide more than one login option to our users. For that, we configure multiple identity providers in an IDB realm, and we are creating another realm for the magic link to act as an idP. The configuration is like the image below.
These are the steps when we try to connect our example application (SP).
1) User clicks on the MLIDP idp button.
2) User informs the email and submits it.
3) User clicks on the email received by email.
4) User gets an error as a response
To check that we have configured the idP configuration in the IDB realm and the client in the MLIDP realm, we have changed the MLIDP realm client flow to the standard browser flow, as shown in the image below. After test, we can log in successfully.
There is one issue opened that the state is mentioned, but we don't know whether it is related to the issue we got. Magic link doesn't support PKCE or state/nonce values
The keycloak version used during tests was 18.0.1.