Additional authentication step for sensitive operations


Similar to what banking apps do I would like to require a user already logged in through Keycloak to pass an additional authentication step for certain types of operations such as withdrawing cash. This could mean providing the password again but I’d prefer a second type of authentication such as OTP sent to the phone. Ideally, the obtained authentication result would only be valid for one operation.

The setup is as follows:

  • Single page web-app using keycloak-js adaptor to create KC sessions and generate JWT.
  • Rest API called by web-app which validates JWT using JWKS and has the possibility to interact with KC to check user’s session state etc.

What are my options? Is this something that’s possible out of the box with Keycloak? If not, what would be a starting point for implementing this myself?

Thank you!


Step-Up Authentication is your friend!
This is available with version 17, but I don‘t know where to find it in the docs.
If you don‘t find anything in the official docs, here is a good blog post explaining it: Keycloak Step-Up and Multi-factor Authentication (MFA) for Web Apps and API | by Martin Besozzi | Jan, 2022 | Medium

This does look interesting, thank you for the hint!