keycloak/keycloak

Allow using username form authenticator together with the organization identity-first login flow

Open

#42192 opened on Aug 27, 2025

View on GitHub
 (4 comments) (3 reactions) (0 assignees)Java (34,398 stars) (8,346 forks)batch import
area/organizationshelp wantedkind/bugpriority/normalstatus/auto-bumpteam/core-iam

Description

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

organizations

Describe the bug

Given:

  • The organizations are enabled and there is at least one active organization
  • Use a custom browser flow in which Username form and Password form are used instead of Username Password form
  • A user have a linked identity provider

When that user logs in, there is an additional blank form page between the username form and the password form.

Version

26.3.3

Regression

  • The issue is a regression

Expected behavior

No blank page. The user should immediately see the next step which is the Password form

Actual behavior

There is a blank form page with only the Sign-in button between the Username form and the Password form

How to Reproduce?

  • Create a realm
  • Enable organizations
  • Create an organization
  • Configure a custom browser auth flow: Replace (Username Password form) by (Username form AND Password form, set to REQUIRED of course)
  • Add an IDP (Tested with Google and Github)
  • Connect a user through the IDP to link the account
  • [Optional] Set a password
  • Logout
  • Use the user email or username to login using the username form

Anything else?

This does not occur when there are 0 organizations, nor when organizations are disabled, or when the Organization Identity-First Login authentication step is disabled.

However it is still reproducible if there are organizations and they're disabled.

Video demo

https://github.com/user-attachments/assets/66385229-d9a0-44a9-b248-0229254adbda

The configured browser flow

Contributor guide

Tech stack
java
Domain
securityauthentication
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
active
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Keycloak authentication flowsOrganization featureCustom browser flow configurationJava development
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
35
Research direction
Investigate the interaction between the Organization Identity First Login authenticator and custom browser flows that split username and password forms. Review the authentication processor code for the organization step, likely in services/src/main/java/org/keycloak/authentication/authenticators/browser/. Check the Freemarker templates that render authentication forms to identify when a blank page is produced. Also examine the flow logic for handling linked identity providers during username only authentication.