5

I've configured Keycloak authentication for the following behaviour:

  • The user inputs its userid
  • Keycloak should try to authenticate it with the passwordless flow
  • As an alternative the user could switch to password authentication

NOTE: The user already has a registered passwordless device:

enter image description here

The authentication flow has been configured as follows:

enter image description here

I access localhost:8080/realms/myrealm/account and click on Sign in:

enter image description here

I input the userid:

enter image description here

But, instead of being offered to sign up with the security device, I'm asked for the password:

enter image description here

If I select Try another way and click on Security Key:

enter image description here

enter image description here

I am now offered to login with the device:

enter image description here

Which I can do successfully.

The problem here is that I need the passwordless login to be offered directly, not the password form. Passwordless is actually configured as the first alternative option so why isn't it working as expected?

enter image description here

codependent
  • 23,193
  • 31
  • 166
  • 308

1 Answers1

3

Looking at the code of AuthenticationSelectionResolver this seems to be intended behaviour. Try to change the order/position of credentials for your user from within the admin console.

enter image description here

The order of credentials should affect the order in which alternative authenticators will be executed.

sventorben
  • 1,597
  • 4
  • 17
  • 1
    My users are federated from LDAP so I don't have the option to order their credentials. However, I think it would make much more sense to prioritize the order of the authentication from the flow. Thus the same behaviour would apply to all users – codependent Jul 28 '22 at 07:08
  • Like @sventorben said. Check this issue: https://github.com/keycloak/keycloak/issues/12102 – Nicolas Osorio Mar 11 '23 at 14:54