Problem:
OTP should work with self adjusted 2FA for the acoount AND 2FA enforced via groups.
Situation:
- There are no groups where 2FA is mandatory.
- Some users have set up 2FA (TOTP) independently in their personal Keycloak account management.
- These users can:
** log in directly to applications (e.g., Nextcloud) and receive a 2FA prompt there correctly. (Nextcloud hasbrowser flow with legacy app authorizationconfigured.
** log in to the portal without a 2FA prompt, even though TOTP is configured for the user. - If a user logs into the portal for the first time with a self-configured TOTP (Flow 2fa-browser), no OTP query is made.
- If the same user is assigned to a group with a forced 2FA role, the OTP query works as expected.
This gives the impression that:
- the OTP condition in Flow 2fa-browser only applies if the 2FA requirement is set via roles/groups
- not if OTP has been configured exclusively by the user themselves
Solution:
You have to define your own Browser flow, or adjust an existing one. Copy existing 2fa Browser flow and use it as sample.
This Browserflow makes OTP Login possible for both.
The clue, that you do not get two otp requests, if you have configured otp and got this during admin-role, ist the additional condition-sub-flow executed config
You should make sure, you make this browser flow as default:
Or put it at the specific client.
see also FR Bug 58468