Hi,
in the normal 2fa-browser-flow OTP is not enforced if a Kerberos login happens.
I am struggling with a solution to enforce OTP with Kerberos and Username Password in one flow and found this helpful topic:
@scheinig
Unfortunatly in the current Version of UCS 5.2-1 errata53.with Keycloak 25.0.6, the solution does not work.
In all cases the authentication flow ends up in “Invalid username or password.”
The reason is that the User Name Password Form is “required” and executed always. Another problem is that the OTP Form is unconditional of the 2FA role, but that can be corrected easily.
In my opinion the username password flow must be conditional and has to be only executed if the other alternatives are unsuccessful… but which condition?
I have also tried a modified version of the standard 2fa-browser-flow, but this solution only works in the case with kerberos enabled. In the username password case in ends up in an “Kerberos is not set up. You cannot login.”.
The same problem here, there must be a condition to check if kerberos is present… or reposition it and execute it only if the authentication before was not ok.
best regards sh