Closed davidprifti closed 1 year ago
xgp
commented
1 year ago Hi @davidprifti the authenticator shouldn't be necessary. Go into the Keycloak Admin UI -> Authentication -> Required Actions and make sure the Invitation required action is registered and enabled. The evaluateTriggers method of this will run every time a login happens, and determine if it should be added to the user.
davidprifti
commented
1 year ago Thank you for your quick reply. I had totally missed that step. I set Invitation required action as enabled, but there is no invitation screen showing at all yet.
2023-01-09 12:22:07,757 INFO [io.phasetwo.service.auth.invitation.InvitationAuthenticator] (executor-thread-67) InvitationAuthenticator.configuredFor called for realm demo-realm and user a@b.com 2023-01-09 12:22:07,760 INFO [io.phasetwo.service.auth.invitation.InvitationAuthenticator] (executor-thread-67) Found 1 invites for a@b.com 2023-01-09 12:22:07,760 INFO [io.phasetwo.service.auth.invitation.InvitationAuthenticator] (executor-thread-67) InvitationAuthenticator.setRequiredActions called for realm demo-realm and user a@b.com 2023-01-09 12:22:07,773 INFO [io.phasetwo.service.auth.invitation.InvitationRequiredAction] (executor-thread-67) InvitationRequiredAction.requiredActionChallenge called for realm demo-realm and user a@b.com 2023-01-09 12:22:07,774 INFO [io.phasetwo.service.auth.invitation.InvitationRequiredAction] (executor-thread-67) No challenge
xgp
commented
1 year ago Invitations also currently require the user to have a verified email address.
If you are not currently requiring a verified email address (by making that action default), you need to in order to use invitations.
davidprifti
commented
1 year ago +1 Got it. Thanks!
Hi there,
I am trying to use the invitations feature of keycloak-orgs and there seems to be a problem with it. As far as I can tell from the logs of the Keycloak server there seems to be a missing
Required Action invitation-required-action. The InvitationAuthenticator finds the invites successfully as you can see by the following logs. Here are the full logs for more details:2023-01-09 10:39:47,995 INFO [io.phasetwo.service.auth.invitation.InvitationAuthenticator] (executor-thread-28) InvitationAuthenticator.configuredFor called for realm demo-realm and user a@b.com 2023-01-09 10:39:48,009 INFO [io.phasetwo.service.auth.invitation.InvitationAuthenticator] (executor-thread-28) Found 1 invites for a@b.com 2023-01-09 10:39:48,009 INFO [io.phasetwo.service.auth.invitation.InvitationAuthenticator] (executor-thread-28) InvitationAuthenticator.setRequiredActions called for realm demo-realm and user a@b.com 2023-01-09 10:39:48,042 WARN [org.keycloak.services.managers.AuthenticationManager] (executor-thread-28) Could not find configuration for Required Action invitation-required-action, did you forget to register it?Steps to reproduce
Run the Keycloak server using:
docker run --name phasetwo_test --rm -p 8079:8080 \ -e KEYCLOAK_ADMIN=admin \ -e KEYCLOAK_ADMIN_PASSWORD=admin \ quay.io/phasetwo/phasetwo-keycloak:20.0.2.1672928292 \ start-devCreate a copy of built-in browser authentication flow and add required "Invitation" step between the "Username password form" and "Conditional OTP" step. Bind the new flow to the Browser Flow.
Create organisation and send an invitation.
Log in with the user.
Expected behaviour
What was expected was that this authenticator checks to see if the authenticated user has outstanding Invitations to Organizations, and then adds the Required Action that they must complete to accept or reject their Invitations following a successful authentication. Instead the user continues to login successfully and nothing happens with the pending invitation.