Authentication is skipped if UsernameForm is added before Magic Link

[srt]

When adding a UsernameForm before the Magic Link authenticator no magic link is sent and authentication succeeds right away.

This is a simple flow to reproduce the issue:

Keycloak version 21.1.1 with magic link 0.11.

The reason seems to be that MagicLinkAuthenticator checks for context.getUser() != null and just returns context.success() if it finds a user in the authentication context.

[xgp]

Hi @srt thanks for the report. The Magic Link authenticator was designed to be used alone. Without the username form, it will render the same form (it extends UsernamePasswordForm). If there is another use case we're missing, please post it.

[srt]

The use case is to use the Magic Link as one of several alternatives for login. For example: Either magic link or passkey (webauthn) or password. To make this work the username has to be entered first.

[xgp]

Got it. Neither (this or email otp) was designed with the "try another way" use case in mind. Let me see if there is a way to alter them while maintaining backwards compatibility. If you're in a hurry, it's certainly possible to make a new one based on this that doesn't do that check.

[xgp]

fixed in 50f2c0e

[abamuc]

Thank you for your great work.

However, I'm using git version c6723a with exactly the same settings as above, and I could login an user without using the magic link but just by adding the e-mail. Perhaps if someone else could check if that's a problem just for me.

[xgp]

Please don't hijack a closed thread. Without seeing your full flow configuration, there is no way we can help you. Please post that in a new issue, along with your complete setup so we can help debug.

[abamuc]

I'm sorry that you had the impression that I tried to hijack this topic. That was not my intention.

My remark was rather: the new code with the config as of above doesn't work for me. If it works for everyone else, than everything is fine, it's a problem on my side and not relevant in this bug. As a open source maintainer I'm myself are always happy if people tell me what they observe, and so I just tried here to be helpful. Sorry if I did create any annoyance, and so this is my last remark on that topic here unless asked for more comments.

Details: I used the configuration described in the initial post with the current magic link code from git head and keycloak 24.0.4.

The behaviour is the same as described by srt: »When adding a UsernameForm before the Magic Link authenticator no magic link is sent and authentication succeeds right away«. My understanding was that this should have been fixed by the commit above, sorry if I missunderstood that.