Question about Non-Federated User Login in Home IdP Discovery

[osushi0523]

Hello,

I have been evaluating the "Home IdP Discovery" extension for Keycloak, and so far it seems to meet most of our requirements. Thank you very much for providing such an excellent extension.

I have a question regarding the login process for non-federated users. These users log in using an email address and a password managed by Keycloak. Since the email address is already entered in the "Home IdP Discovery" step, I would prefer to present the user with a password-only form.

To achieve this, I set up the following authentication flow. It works mostly as expected, but when an email address is entered that is neither redirected to an IdP nor exists in Keycloak, a JSON error is returned. This is not user-friendly.

Do you have any suggestions or best practices for addressing this issue? Would it be better to use the "Username Password Form" as recommended in the documentation?

Thank you for your time and assistance.

[sventorben]

Hey @osushi0523

yes, please make use of the flow as described in the documentation.
I think in your case the JSON error is returned by the "Username validation" step. If you set it up this way, you may leak information whether users exist in your system or not. See this ticket for a detailed discussion.