Hello,
I'm trying to implement the following authentication flow in Keycloak:

Setup:
Administrator configures a CustomBroker (a custom identity provider extending AbstractIdentityProvider) in the Identity Providers section
The "Login with CustomBroker" button automatically appears on the standard Keycloak login page

Desired Flow:

• User navigates to the application and sees the standard Keycloak login page with username/password fields and IdP buttons
• User clicks "Login with CustomBroker" button
• Before redirecting to the external IdP, a form appears prompting the user to select their country
• User selects and submits the country
• The selected country is stored in the authentication session
• Keycloak redirects to CustomBroker's external IdP
• In my custom IdP's performLogin() method, I retrieve the country and include it in the redirect URL to the external IdP

What I've Found:
I found this project: https://github.com/grnet/eidas-keycloak-extension which implements country selection in a custom authenticator. However, in that implementation, the entire browser login flow has been customized to replace the standard login page.

My Requirement:
I need to keep the standard Keycloak login page intact (with username/password fields and all configured IdP buttons), and only intercept the flow when a user selects the specific CustomBroker to collect additional information before the redirect.

Questions:

• How can I trigger a custom authenticator only when a specific identity provider button is clicked, without replacing the entire browser flow?
• What is the correct flow to add this authenticator to (Browser Flow, First Broker Login, Post Broker Login)?
• How can I ensure the authentication session data is preserved and accessible in my custom IdP's performLogin() method?
• Is there a way to conditionally show a form based on which IdP button was clicked while keeping the standard login page for other authentication methods?