Issue on Bypass Login Page option with non-federated users

[mabegon]

Hi,

This is a fantastic and very useful extension. Thank you so much!

I'm having a problem trying to use the "Bypass Login Page" option with a non-federated user.

When I use a login_hint (we use emails as usernames) that matches the domain of one of our IDPs, the flow bypasses the email request page as expected. But when I use a login_hint with an email that does not correspond to a configured IDP but to an existing user in our realm (therefore a non-federated user), the login page is not bypassed. The email is filled in the input field but the user is forced to click on the Submit button.
Is this normal behavior?

Thanks a lot for your help.

Marc

[sventorben]

Hey @mabegon,

thanks for the kind words.

The behavior that you are observing here is intended.
You need to think about the "bypass login page" like an auto-redirect feature. If "bypass login page" is enabled, the extension will trigger a redirect automatically if it is able to detect that the user is federated. That is either by a matching domain or federation link. In all other cases the extension will not redirect the user and use the login hint as such - it is only a hint and the username field will be prefilled.

Best
Sven-Torben

[mabegon]

Thank you for your answer, @sventorben, :-)

This is what I understood from reading the code but I needed confirmation that this was the expected behavior.

In fact, my question is because we have a login flow like the one recommended in the Home Idp Discovery documentation and we have set the password policy "Maximum Authentication Age" to 0 to require re-authentication each time we want to change the password.

We do not use the administration part of keycloak but we redirect the user to the login flow with the Required Action "Update Password". Normally Keycloak redirects you to the page to enter the old password but with the plugin, it asks me before the email (action which is not necessary).

Now, with the login_hint, I at least have the pre-entered email, but redirection would be desirable.

Do you think my need matches the philosophy of this feature (bypass login page) or should I try to do it differently?
If you think it fits, can I try to push a PR?

Thanks again,
Marc

[sventorben]

Now you got me confused.

but redirection would be desirable

What do you mean by this? I thought you were taling about non-federated users. Where do you want them to be redirected to?
If I understood you correctly, you simple want to skip the extra click for the user and execute whatever the next step within your flow is, right?

This may interfere with requirements we have in d672d83