Conditional Authenticator

Hi Team,
I am trying to implement a new Authenticator based on the user’s browser fingerprint. The authentication flow should be the following:

The Username & Password authenticator and the OTP authenticator are already provided by keycloak. I have developed an authenticator called Fingerprint (or browser fingerprint). This authenticator works like this:

  • The form submits a hash identifying many browser properties.
  • The authenticator checks wheter the hash provided exists or not:
    • if it exists, then the authentication process ends successfully
    • if does not exist, the authenticator sets a required action to register the new fingerprint

But I’m not able to connect the fingerprint authentication with OTP

How should I perform the next step ?
Is there a way to set a condition to an authenticator from Keycloak admin console ?
Or is it posible to add an authenticator to a flow dynamically in Java (like required actions )?


Hi Hope u are well
implement custom spi authenticator
To verify fingerprint
Without using required actions ( it will bé used once ) .
Best regards


Have you been able to perform that function?

In my understanding, the Fingerprint authenticator should collect the browser information from the http request and possibly a form running some javascript. And this is passed to the fingerprint authenticator action function.

The action function will either find the fingerprint in its referential/database and accept the login, or trigger the registration of this new fingerprint by prompting the OTP form.

I think that if you create a new flow containing first your fingerprint authenticator (as alternative) and the OTP authenticator as alternative, it should trigger the OTP form only if the fingerprint is not found.

Alternatively, in your fingerprint authenticator, you can trigger yourself the otp form and handle the response from your authenticator.

Please let us know the result

Did you manage to implement it? I’m trying to do the same using browser fingerprint to ask for OTP just if it is a new machine. But, so far I didn’t find a way to do it.