Configure 2FA via Browser Flow

I’ve seen several topics but haven’t quite found one that fits my use-case, or one I can tweak to fit. I’m using Keycloak to enforce 2FA while using an LDAP server as the account manager backend. My goal is to create accounts in LDAP as necessary, and let Keycloak handle the authentication.

Right now the browser flow works, except it doesn’t handle 2FA registration well. I simply want the user to be presented with the choice to register OTP or WebAuthN if they don’t already have it registered. This seems really difficult to accomplish via flow. If so, why? I don’t want to constantly log in to Keycloak to manage OTP/WebAuthN registration or set flags. Is there a better way to require one of those two?

Because I hate leaving things unanswered - my solution was the “Enforce MFA” plugin located here: keycloak-mfa-plugins/enforce-mfa at main · netzbegruenung/keycloak-mfa-plugins · GitHub

I’m not a Git master but hopefully they will be rolled into the main release soon: Add community-extension: MFA Plugin Collection by melegiul · Pull Request #527 · keycloak/keycloak-web · GitHub

I mounted the jar to my container at /opt/keycloak/providers/.jar