Ability to Hide Username/Password Form in Browser Flow Without Custom Template

107 views

Skip to first unread message

Arif EROL

unread,

Nov 8, 2025, 12:27:22 AMNov 8

to Alexander Schwartz, Keycloak User

Hi Alexander,

I’ve added two external OIDC providers in Keycloak in addition to the standard username/password login. These appear as buttons on the login page, which works fine.

However, one of my clients doesn’t want to allow the username/password login option — they only want users to log in through the external OIDC providers.

To achieve this, I duplicated the default authentication flow and removed the Username Password Form execution.

But when I do that, I get an error message

(“keycloak-1 | 2025-11-08 08:11:28,941 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (executor-thread-631) AUTHENTICATE

keycloak-1 | 2025-11-08 08:11:28,941 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (executor-thread-631) AUTHENTICATE ONLY
keycloak-1 | 2025-11-08 08:11:28,941 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-631) processFlow: browser-idp-buttons-only
keycloak-1 | 2025-11-08 08:11:28,941 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-631) check execution: 'auth-cookie', requirement: 'ALTERNATIVE'
keycloak-1 | 2025-11-08 08:11:28,941 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-631) authenticator: auth-cookie
keycloak-1 | 2025-11-08 08:11:28,941 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (executor-thread-631) Going through the flow 'browser-idp-buttons-only' for adding executions
keycloak-1 | 2025-11-08 08:11:28,941 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (executor-thread-631) Selections when trying execution 'auth-cookie' : [ authSelection - auth-cookie, authSelection - identity-provider-redirector]
keycloak-1 | 2025-11-08 08:11:28,941 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-631) invoke authenticator.authenticate: auth-cookie
keycloak-1 | 2025-11-08 08:11:28,942 DEBUG [org.keycloak.services.managers.AuthenticationManager] (executor-thread-631) Could not find cookie: KEYCLOAK_IDENTITY
keycloak-1 | 2025-11-08 08:11:28,942 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-631) authenticator ATTEMPTED: auth-cookie
keycloak-1 | 2025-11-08 08:11:28,942 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-631) check execution: 'identity-provider-redirector', requirement: 'ALTERNATIVE'
keycloak-1 | 2025-11-08 08:11:28,942 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-631) authenticator: identity-provider-redirector
keycloak-1 | 2025-11-08 08:11:28,942 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (executor-thread-631) Going through the flow 'browser-idp-buttons-only' for adding executions
keycloak-1 | 2025-11-08 08:11:28,942 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (executor-thread-631) Selections when trying execution 'identity-provider-redirector' : [ authSelection - identity-provider-redirector]
keycloak-1 | 2025-11-08 08:11:28,942 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-631) invoke authenticator.authenticate: identity-provider-redirector
keycloak-1 | 2025-11-08 08:11:28,942 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-631) authenticator ATTEMPTED: identity-provider-redirector
keycloak-1 | 2025-11-08 08:11:28,942 WARN [org.keycloak.services] (executor-thread-631) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException
keycloak-1 | at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:1125)
keycloak-1 | at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:955)
keycloak-1 | at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:147)
keycloak-1 | at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:397)
keycloak-1 | at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:235)
keycloak-1 | at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:119)
keycloak-1 | at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint$quarkusrestinvoker$buildGet_6f60a9d6a638ecbdbc87e15ef419b51708795641.invoke(Unknown Source)
keycloak-1 | at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
keycloak-1 | at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:183)
keycloak-1 | at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
keycloak-1 | at io.quarkus.vertx.core.runtime.VertxCoreRecorder$15.runWith(VertxCoreRecorder.java:645)
keycloak-1 | at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2651)
keycloak-1 | at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2630)
keycloak-1 | at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1622)
keycloak-1 | at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1589)
keycloak-1 | at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
keycloak-1 | at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
keycloak-1 | at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)

keycloak-1 | at java.base/java.lang.Thread.run(Thread.java:1583)”)

and the login page no longer shows the external OIDC provider buttons.

I noticed that several others have faced the same issue and resolved it using a custom login template.
Would it be possible to support hiding the Username Password Form within the browser flow without having to use a custom template?

I have also opened a discussion about this request here: https://github.com/keycloak/keycloak/discussions/44051