Authentication Flows - Conditional "OR"

935 views

Skip to first unread message

Jannes Drijkoningen

unread,

Jul 1, 2022, 6:09:40 AM7/1/22

to Keycloak User

Hello all,

Currently all sub-conditions of a conditional flow need to evaluate to TRUE to get into the flow (AND), is there any combination of flows/executions to make this an OR?

Context: We've been trying to set up conditional 2FA for client roles for months now, but haven't been successful. Each of our clients has some sort of admin role that requires 2FA (company policy). Users can either have none of those roles, and should not have to use 2FA OTP, while some other users can have 1 or more of these admin roles and they must use 2FA OTP.

This is a rewrite of https://github.com/keycloak/keycloak/discussions/12145 . But since there hasn't been a response in over a month there, I figured I'd try my luck with the mailing list.

First we tried to simply use the conditional OTP form in this configuration:

Result: If user has configured OTP and has multiple client roles they are presented with the same OTP form, once for the user configured condition, and once for each client role they have.

Secondly, we tried a more elaborate way by defining more flows, and trying out the "Allow Access" execution, hoping that if a user passes the "Allow Access" execution it would be like a breakout case and be let in.

Result: The first flow (user configured) was just being skipped altogether, meanwhile the other flows are still all being triggered and required.

So now functionality is:

if OTP is configured but no client roles -> OTP is not required?

if user has client role -> OTP is required (for each client role they have)

It seems like a suitable solution would be if we could use just a single conditional flow, with multiple sub-conditions. But instead of "AND"-ing them all, I want to "OR" the sub-conditions. In other words, "if 1 condition passes, the flow is entered". Or if anyone has any other ideas regarding client role enforced 2FA, perhaps some example setups I could look at, that would be awesome. We're starting to get a little desperate to finalize this chapter in our Keycloak integration.