[BUG] Getting "Invalid Username or Password" as soon as visiting a client with the restricted-access step in the flow.

[HrBingR]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

When visiting any client I receive an error message upon the page loading that states "Invalid Username or Password".

It doesn't even ask a username or password or try to authenticate, I just immediately experience the above on all clients after binding.

I tested:

• Having added the restricted-access role to the client and users.
• Without the restricted-access role on any clients.
• With the restricted-access on all clients and all users.
• Without the existence of the restricted-access role at all, and not configured on any client.

As soon as I remove the "Restrict user authentication on clients" step from the flow, it works.

This is my current flow (cloned from the default flow, and tested before/after adding the restrict step):

This is the configuration of the step:

The error message in action:

Expected Behavior

I expect to see the normal authentication dialog before getting access granted/access denied based on the authenticator and associated roles been given to users and clients per the readme instructions.

Steps To Reproduce

1. My docker config is as follows (sensitive details (such as networks and DB info) omitted, external port and host censored):

  keycloak:
    image: quay.io/keycloak/keycloak:latest
    container_name: keycloak
    restart: unless-stopped
    command:
      - 'start'
      - '--hostname=x
      - '--proxy=edge'
    ports:
      - x:8080    
    volumes:
      - ./keycloak-restrict-client-auth.jar:/opt/keycloak/providers/keycloak-restrict-client-auth.jar
    labels:
      - 'traefik.http.routers.keycloak.entrypoints=websecure'
      - 'traefik.http.routers.keycloak.rule=Host(`x`)'
      - 'traefik.http.routers.keycloak.tls=true'
      - 'traefik.http.routers.keycloak.tls.certresolver=myresolver'
      - 'traefik.http.services.keycloak.loadbalancer.server.scheme=http'
      - 'traefik.http.services.keycloak.loadbalancer.server.port=8080'
      - 'traefik.enable=true

2. I copied the default Browser flow.
3. Added the 'Restrict user authentication on clients' step.
4. Configured it as Required and for 'client-role'.
5. Bound it as my Browser flow.
6. I did test configuring the restricted-access role on users and clients, but the problem starts from step 5 and continues no matter what I do unless I remove the authenticator from the flow.

Version

- Keycloak: 19.0.1 (quarkus)
- This extension: 19.0.0 (Latest Release)

Anything else?

No response

[sventorben]

Hey @HrBingR,

I think you mixed up required and alternative executions in your flow.
Please see #9 for configuration instructions and let me know if this works for you.

[HrBingR]

Okay yup that's on me.

Difficult working from the new interface and trying to translate flows from the old interface (which IMO was much clearer) but I see you're planning to update the screenshots soon so looking forward to that.

Thanks for the assist!