5

I'm trying to configure the KeyCloak Browser Flow to allow users requesting scope1 to use a user/password form, and users requesting scope2 to be required to use the User/password form plus an OTP. My question is two-part:

  1. Am I not understanding something properly - I am surprised I have to code this myself and it's not already available in Keycloak
  2. Will this described approach work?

I do not want to make this conditional on the user, but instead on the scope being requested. From what I can tell, to make this work I need to implement a custom ConditionalAuthenticator and then configure approximately like this, replacing the Condition - User Configured with my own implementation.

Example of per-scope configuration

Hamy
  • 20,662
  • 15
  • 74
  • 102
  • 1
    Would it be a possibility of use roles instead of scopes? – dreamcrash Feb 22 '21 at 20:03
  • Sadly no, what I need is the authentication flow to change based on whatever the caller requested. The caller has the right to request any of the possible scopes (they have all of the necessary roles) – Hamy Feb 23 '21 at 19:21
  • I'm interested in this question if i get an answer then i comment – Mandy007 Dec 01 '21 at 16:10

0 Answers0