Re: [keycloak-user] Authentication flow for Requried Action

65 views

Skip to first unread message

Francis Augusto Medeiros-Logeay

unread,

May 1, 2026, 4:38:46 AM (13 days ago) May 1

to Keycloak User

Hi Alexander,

Coming back to this issue, just a few follow up questions:

On 9 Oct 2025, at 10:48, Alexander Schwartz <asch...@redhat.com> wrote:

A required action should IMHO be safe to trigger from all places, as it is in your case to set up a 2FA.

Is there any way to limit that for built in required actions, such as Passkeys? We’d like to set step up authentication to create a passkey, which we could do simply by having a special flow for the Account client. But if kc_action can be used from anywhere, having that special flow won’t be effective.

If you do not want a custom required action to be called as an AIA, make sure not to implement the "initiatedActionSupport" method, and then it will default to "NOT_SUPPORTED".

But that would prevent it from showing on the Account console, right? I mean, if this required action is to implement a certain credential.

When writing your own custom action, that should react differently when running as an AIA, you can check during execution time as follows:
https://github.com/keycloak/keycloak/blob/88eea73cdcc77920785ebe46515897067744af32/services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java#L130-L132

Thanks!

Francis

On Tue, Oct 7, 2025 at 10:08 AM 'Francis Augusto Medeiros-Logeay' via Keycloak User <keyclo...@googlegroups.com> wrote:
Hi,

We are setting up a custom required action for configuring 2FA. We want to force the user to step up his authentication via an external IDP before he can manage his credentials.

As I understood it, One can use any client to trigger a Required Action via kc_action. This could potentially made it possible for users to by pass the step up.

Is there a way to either block the triggering of a required action via kc_action, or choose an specific authentication flow for a required action?

Best.

Francis

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/0A5BC996-8374-4C5D-86D3-F82ACAF8C110%40med-lo.eu.

--
Alexander Schwartz, RHCE
He/Him
Principal Software Engineer, Keycloak Maintainer
alexander...@ibm.com

IBM Data Privacy Statement

IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Wolfgang Wendt
Geschäftsführung: David Faller
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294

Reply all

Reply to author

Forward

0 new messages