Q&A: How to enforce the use of OTP for special clients

Problem:

I want to enforce the use of OTP for special clients, even if the user is already authenticated at Keycloak.

Answer:

You can create an additional authentication flow in keycloak to always require OTP. For clients where OTP should be enforced, you can set this flow as the default flow.

  1. Open the Keycloak administration console and select the ucs realm
  2. Go to Authentication → you will see some build-in flows. The standard flow for browser authentication is called browser. See also How to change the defaut authentication flow in keycloak
  3. Create a new flow by clicking Create flow. Give it a name like 2fa-browser or forceOTP.
  4. By default the new flow is empty, first you need to create a sub-flow called main (the name is freely selectable) .
  5. Now we add the actual authentication steps to the main sub-flow.
    • Click the + symbol of the main flow and Add step, select Cookie and click Add
    • Repeat and add Kerberos (if you are using kerberos for authentication)
    • Repeat and add Identity Provider Redirector
    • We need another sub-flow in the main sub-flow for the username/password authentication
      • Click the + symbol of the main flow and Add sub-flow, the name is freely selectable, we use main sub-flow
      • Click the + symbol of the main sub-flow sub-flow and Add steps and add Username Password Form
  6. Not in the main sub flow, but in the top level of our flow we add the OTP authentication step. Click the blue Add step button and add OTP form.
  7. Nearly done, now we have to configure the Requirement in our authentication flow.
  • mainRequired
    • CookieAlternative
    • KerberosAlternative
    • Identity Provider RedirectorAlternative
    • main sub-flowAlternative
  • OTP FormRequired

In the end the flow should look like this,
image
or in the diagram view:
otp-flow-pic

What this means is that authentication is successful …
IF ( Cookie OR Kerberos OR Identity Provider Redirector OR Username Password Form ) AND OTP Form

You can now link this new flow to clients, for which you always want OTP authentication step.

  • Go to clients in the Manage menu on the left
  • Open your client and navigate to the tab Advanced
  • In Authentication flow overrides you can select your new flow and save
1 Like
Mastodon