Dear Keycloak Developers,
my client tries to use Step Up Authentication in a rather complex setup and struggles using the current implementation in Keycloak.
Thus i would like to propose some improvements, to increase the flexibility of this feature:
2. Right now, Step Up Authentication only works if you use ConditionalLoaAuthenticators which basically dictate splitting the authentication flow by LoA-value. This would not be feasible for our client since there would be a lot of duplications for all possible LoA values (and there are a lot of possible values), making the flow really big and hard to maintain.
We tried to circumvent that and just use AcrStore to set the current level in a custom authenticator, but this doesnt work, since AcrStore sets the maxAge-value to the configured value in the corresponding ConditionalLoaAuthenticator in the browser-Flow of the current realm and 0 (expires immediately) as default.
For us, just changing the default of 0 to a bigger value (effectively infinite in our case) would help, but this should be configurable or a parameter in AcrStore to be usable by everyone.
I could open a PR to add a parameter to AcrStore.setLevelAuthenticated and AcrStore.setLevelAuthenticatedToCurrentRequest if you want
Thank you for your time.
Kind regards,
Dominik