We have specific requirements around the authentication flow and UI/UX that cannot be satisfied through Keycloak's theming engine and extensions to the Authenticator SPI.
I looked into the Action Token SPI and it seems like an extension point that could be used to delegate (most of) the authentication flow to an external application. According to the keycloak quickstart action-token-authenticator example (https://github.com/keycloak/keycloak-quickstarts/tree/latest/action-token-authenticator), it seems like it can be used specifically for this purpose.
For a browser authentication flow, the idea would be that we would have keycloak initiate the flow by first verifying the username/password. If that is successful, we would redirect the user to the external application (supplying it the action-token and username/id of the user) to perform the supplemental authentication process - e.g. custom MFA. If the external application successfully performs the supplemental authentication, it will then redirect back to keycloak with the action-token, to resume and complete the authentication process that was initiated earlier. With this externalized login process, we would have full control on every aspect how it can be designed/implemented.
Any thoughts/comments on whether this approach is feasible, secure and proper use of Action Token SPI?
Thanks in advance.