Conditional OTP Form Header check not working

Keycloak is 8.0.2 (also had issue with 8.0.1)

I’m trying to implement a Conditional OTP form. Everything appears to be setup correctly, but I cannot get it to work.

I’ve added a custom User-Agent header in my browser to test with (User-Agent: mytest) and set to require OTP if user agent header matches so as not to break users who don’t have OTP and have validated it’s being sent, but no matter what I try, the condition appears to be getting overlooked. The custom form is defaulting to the default action, regardless of any of the header checks above. I’ve also tried X-Forwarded headers, also without luck.

Ideas? Does this work for anyone else?

Hi Teverson,
Did you end up resolving this issue as I’m noticing similar issue with “Skip OTP for Header” not working or being recognized if enabled as part of conditional OTP auth?
The source client IP is being passed and recognized correctly under the keycloak log. The rest of the OTP conditions are working except for this one which is the main requirement.

Is this correct syntax: X-Forwarded-Host: (|
Keycloak version 11.0.2

Please assist?

Unfortunately, I did not. Sorry.

This may become a moot point as we’re looking at a commercial IDP as part of another solution / project, although I would still be interested in a solution, if it’s ever sorted out. The whole conditional auth seemed buggy, and I haven’t had time to circle back to it, with competing priorities.

Keycloak has been fantastic, for an open source solution. I just wish some of these oddities were simpler to resolve.