Browser auth flow to require OTP and recovery codes for new *and* existing users
274 views
Skip to first unread message
zam...@gmail.com
Jul 10, 2025, 11:31:03 AMJul 10
to Keycloak User
Hi
This automatically forced all existing and new users to set up OTP.
After upgrading to v26.3.1, we wanted to take advantage of using 2FA Recovery Codes feature.
So following changes were made:
1. Created a new realm "test" and examined "browser" flow to see what are the new subflows/actions I'd need to add to my existing realm's auth flow (because existing realms flows don't automatically change with these new subflows/actions)
* here we noticed 2 new steps: "WebAuthn Authenticator" and "Recovery Authentication Code Form"
2. In my existing realm, we enabled Authentication -> Required Actions -> Recovery Authentication Codes
3. In my existing realm, I modified "browser" flow to add 2 new steps, and set "Recovery Authentication Code Form" to "Alternative"
To summarize
In v26.2.5 "browser" flow, starting with "forms" node:
-------------------------------------------------------------------------------
flow: forms -> Alternative
step: Username Password Form -> Required
flow: Browser - Conditional OTP -> Required (changed from Conditional (default) to force OTP registration)
condition: Condition - user configured -> Required
step: OTP Form -> Required
in v36.3.1, "browser" flow, starting with "forms" node:
-------------------------------------------------------------------------------
flow: forms -> Alternative
step: Username Password Form -> Required
flow: Browser - Conditional OTP -> Required (prev changed from Conditional (default))
condition: Condition - user configured -> Required
step: OTP Form -> Required (previous default, unchanged)
setp: WebAuthn Authenticator -> Disabled
step: Recovery Authentication Code Form -> Alternative (changed from Disabled (default), as per docs)
However, with the above setup
* new users were required to set up OTP, but not required to set up recovery codes
* existing users were able to log in via OTP and were not prompted to set up recovery codes either
Is there a way I can set up the flow to require both OTP *and* recovery codes be set up for new and existing users automatically when they log in?
Alexander Schwartz
Aug 4, 2025, 1:50:49 PMAug 4
to zam...@gmail.com, Keycloak User
Hi,
I know my answer is quite late to your question:
* Consider enable the "Set as default action" for the two items to have a required action added to all new users
* For all existing users, create a batch that adds required actions as necessary. You might need to run it one a day in case someone deletes their second factor or recovery code
Another option could be to create a custom event listener that whenever someone adds an OTP, you add the required action to add recovery codes.
Might even be a good enhancement to make the Configure OTP required action configurable so that it adds the required action once the OTP setup is complete. Please create an enhancement request for that if none exists, post the link here, and see if there are some additional community up-votes for that issue.
Best,
Alexander
--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/55582724-328b-46b3-aaae-59177ce22dc5n%40googlegroups.com.
Alexander Schwartz, RHCE
He/Him
Principal Software Engineer, Keycloak Maintainer
Red Hat - Germany remote
 |
Red Hat GmbH, Registered seat: Werner von Siemens Ring 12, D-85630 Grasbrunn, Germany
Commercial register: Amtsgericht Muenchen/Munich, HRB 153243,
Managing Directors: Ryan Barnhart, Charles Cachera, Michael O'Neill, Amy Ross
Commercial register: Amtsgericht Muenchen/Munich, HRB 153243,
Managing Directors: Ryan Barnhart, Charles Cachera, Michael O'Neill, Amy Ross
Niko Köbler
Aug 13, 2025, 5:31:10 AMAug 13
to Keycloak User
As I would also appreciate such an option, I just created the enhancement request here: https://github.com/keycloak/keycloak/issues/41836
zam...@gmail.com
Aug 13, 2025, 3:08:18 PMAug 13
to Keycloak User
Alexander
> For all existing users, create a batch that adds required actions as
necessary. You might need to run it one a day in case someone deletes
their second factor or recovery code
This is kind of an approach we took also. Our app uses an admin client so we have "one time" script that we run to cover existing users....
But...What about adding an improvement that would allow adding action(s) "en masse" to all users that don't have such action?
When you edit a single user in Keycloak UI you have ability to add/remove actions - this would be just at the level for all users...
Same functionality could be then exposed via API as well (to make it available to admin clients, Terraform provider, etc, etc)
I suspect this could be very useful in many situations (e.g. force all users to change passwords for some reason, or force all users to accep new Terms and Conditions)....
When you edit a single user in Keycloak UI you have ability to add/remove actions - this would be just at the level for all users...
Same functionality could be then exposed via API as well (to make it available to admin clients, Terraform provider, etc, etc)
I suspect this could be very useful in many situations (e.g. force all users to change passwords for some reason, or force all users to accep new Terms and Conditions)....
If you think this is a good idea, I can add a ticket...
Reply all
Reply to author
Forward
0 new messages