Problem:
I want to enforce the use of OTP for special clients, even if the user is already authenticated at Keycloak.
Answer:
You can create an additional authentication flow in keycloak to always require OTP. For clients where OTP should be enforced, you can set this flow as the default flow.
- Open the Keycloak administration console and select the
ucs
realm - Go to
Authentication
→ you will see some build-in flows. The standard flow for browser authentication is calledbrowser
. See also How to change the defaut authentication flow in keycloak - Create a new flow by clicking
Create flow
. Give it a name like2fa-browser
orforceOTP
. - By default the new flow is empty, first you need to create a
sub-flow
calledmain
(the name is freely selectable) . - Now we add the actual authentication steps to the
main
sub-flow.- Click the
+
symbol of themain
flow andAdd step
, selectCookie
and clickAdd
- Repeat and add
Kerberos
(if you are using kerberos for authentication) - Repeat and add
Identity Provider Redirector
- We need another sub-flow in the main sub-flow for the username/password authentication
- Click the
+
symbol of themain
flow andAdd sub-flow
, the name is freely selectable, we usemain sub-flow
- Click the
+
symbol of themain sub-flow
sub-flow andAdd steps
and addUsername Password Form
- Click the
- Click the
- Not in the
main
sub flow, but in the top level of our flow we add theOTP
authentication step. Click the blueAdd step
button and addOTP form
. - Nearly done, now we have to configure the
Requirement
in our authentication flow.
-
main
→Required
-
Cookie
→Alternative
-
Kerberos
→Alternative
-
Identity Provider Redirector
→Alternative
-
main sub-flow
→Alternative
-
-
OTP Form
→Required
In the end the flow should look like this,
or in the diagram view:
What this means is that authentication is successful …
IF ( Cookie OR Kerberos OR Identity Provider Redirector OR Username Password Form ) AND OTP Form
You can now link this new flow to clients, for which you always want OTP authentication step.
- Go to
clients
in theManage
menu on the left - Open your client and navigate to the tab
Advanced
- In
Authentication flow overrides
you can select your new flow and save