Error in step-up auth documentation?

Hey,

I have question regarding the step-up authentication flow in the official documentation:
Server Administration Guide The attached picture [1] is described as:

If a client request a high authentication level, meaning Level of Authentication 2 (LoA 2), a user has to perform full 2-factor authentication: Username/Password + OTP. However, if a user already has a session in Keycloak, that was logged in with username and password (LoA 1), the user is only asked for the second authentication factor (OTP).

My issue with this explanation is the Cookie auth step on the top, which is configured as Alternative to Auth Flow. Would that not invalidate the entire step-up mechanism? If you are authenticated you have a cookie, meaning the logic shown here is never evaluated past the very first login attempt, and no stepping up will ever happen as long as your cookie is valid, even if the client explicitly asks for LoA 2.

I would put Cookie auth as Alternative on the same level one step above Username Password Form, because then it only serves as an alternative to password credentials, but does not influence the OTP sub-flow.

I am likely misunderstanding something, and would appreciate some help.

[1]

image720×490 27.4 KB

After setting this flow up myself and testing it thoroughly I can say that somehow it does work as documented, but I still fail to understand how.

Cookie authentication, when configured as alternative as shown above, does not behave as an alternative in a required flow usually would. Both alternatives seem to be executed, which is contrary to how alternative is defined.

Cookie auth first authenticates you “up to” the point of your last obtained LoA, and then the alternative flow triggers afterwards as well, upping your LoA to the requested level. It works as documented, but I’ve not found anyone being able to explain why it works.

I’m lost.