Similar to what banking apps do I would like to require a user already logged in through Keycloak to pass an additional authentication step for certain types of operations such as withdrawing cash. This could mean providing the password again but I’d prefer a second type of authentication such as OTP sent to the phone. Ideally, the obtained authentication result would only be valid for one operation.
The setup is as follows:
- Single page web-app using keycloak-js adaptor to create KC sessions and generate JWT.
- Rest API called by web-app which validates JWT using JWKS and has the possibility to interact with KC to check user’s session state etc.
What are my options? Is this something that’s possible out of the box with Keycloak? If not, what would be a starting point for implementing this myself?