User without restricted-access role is being able to authenticate.

[KhasDenis]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

User without restricted-access role is still being able to authenticate. Role itself created both in realm and client (In both cases there is 0 assignments). My current configuration is similar to this one https://user-images.githubusercontent.com/12183470/136276665-6b087651-baa9-43aa-addf-59db247529b7.png

Expected Behavior

User without restricted-access role is not being able to authenticate.

Steps To Reproduce

No response

Version

- Keycloak: 22.0.4
- This extension: 22.0.0

Anything else?

No response

[sventorben]

@KhasDenis If I see it correctly, you have mixed required and alternative flows on the same level which is not supported by Keycloak.
Try to make "Copy of browser forms 2" an alternative like the other ones and it should work.

[KhasDenis]

Still being able to authenticate.

I was seeing issue with required and alternate on the same level before and usually it is in the logs something like
2023-12-05 12:10:41,478 WARN [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-208) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [auth-cookie] 2023-12-05 12:10:41,479 WARN [org.keycloak.services] (executor-thread-208) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException

with the config I shared earlier there were no complains in the log.

[sventorben]

Can you show me the roles that you have configured for the client to which you set the authentication flow override, please?

[KhasDenis]

[sventorben]

That looks ok. Can you export the full realm configuration and post the file here? I think that I need to see all the details to investigate this further.

[KhasDenis]

realm-export.json

[KhasDenis]

If in "Copy of browser" flow I add explicit "Deny Access" right before "Restrict user authentication on client" I'm still able to authenticate. If I move "Deny Access" as a first step then I'm not able to authenticate.

Also as another test I created the same flow but with my js authenticator the same story.

So problem seems to be somewhere in the flow itself, but I don't see anything in the logs.

[KhasDenis]

So it is basically this issue keycloak/keycloak#10250

[sventorben]

Have you checked your post login flow? See remark here: https://github.com/sventorben/keycloak-restrict-client-auth?tab=readme-ov-file#protect-all-possible-flows

[sventorben]

Closing this issue, because this behaviour is caused by Keycloak itself and not by this extension.
It can be resolved by properly configuring post login flows.