authentication flow confusion

Cantor, Scott cantor.2 at
Fri May 10 17:40:11 EDT 2019

On 5/10/19, 3:16 PM, "users on behalf of Richard Levenberg" <users-bounces at on behalf of richardl at> wrote:

> I was under the impression that if I could get a hold of the
> AuthenticationResult and look at one of attemptedFlow, availableFlows,
> potentialFlows or intermediateFlows I could reset with the current state
> of the authentication to the step which presents the "form to collect
> credentials."

There are no such fields on an AuthenticationResult, and if you're talking about the AuthenticationContext, you generally have no business looking at or doing anything with any of them, they're part of the internal machinery of the system. Stay away from them unless you know enough not to have to ask any questions about them.

> The form to collect credentials is a login.jsp in

We support but do not encourage use of JSP, and that is not the default out of the box.

> (having implemented a ValidateUsernamePasswordAgainstFoo and setting an alias)

That is *a* way to customize the system if you want to plug in a custom password validator alone. Such a task requires absolutely no understanding of anything you're asking about, it's a single Java class doing a self-contained thing to validate the password and generally invoke some standard methods to report success or failure.

-- Scott

More information about the users mailing list