Closed xgp closed 2 months ago
I will probably take it to continue my works.
Here is my idea (based on assumption, might differ once I will be working on it):
Files to be added / created:
[MAYBE]
Assumption / Personal Notes:
prompt
and account_hint
form parameter can be retrieved in the Authenticator flow through MultivaluedMap<String, String> formData = context.getHttpRequest().getDecodedFormParameters();
On this basis, I think I can apply the necessary logic.
Flow / Idea: ActiveOrganizationAuthenticator
prompt=select_account
is provided, the select-orgs form will be rendered for the user to be selected. Except:account_hint=<org-id>
is provided, the select-orgs form will be skipped (if the organization is valid).ActiveOrganizationPermissiveCondition (optional) I propose this conditional to have a more "permissive" approach. As in some use case, belong to an organization might be optional. So, I would like to introduce this condition to cover this potential use case:
My current questions: How can we test an authentication flow?
account_hint=<org-id>
can be covered as it doesn't require to interact with a form.@xgp if you have some examples on how the other case can be tested automatically (where we have to select an organization). Except from manual testing, I don't see how it is possible currently.
Also, let's take this thread to exchange on this approach if you would like something different.
(don't know if you can assign it to me, but, if possible, assign it to me, I will work on that)
@MGLL Regarding testing authentication flows, I have used Cypress and a Cypress testcontainers. Unfortunately, I've only done that for consulting project, and I don't have open source examples. However, after I figured out Cypress, it was fairly easy.
Regarding your idea for implementation, it seems like it will work.
Completed in #172
Per @phamann 's comment we should extend @MGLL 's contributed Active Organization feature to be more spec-compliant, using a custom Authenticator which acts upon the presence of the OIDC query parameter
prompt=select_account
.From the spec:
This way, we could use Keycloak's existing auth and token endpoints and off-the-shelf OIDC clients without any modification for account switching.
Add an
account_hint=<org_id>
param, allowing users to switch directly to an account without being challenged to choose from a list, similar to Keycloakskc_idp_hint
behaviour.