Hi,
I am struggling with a solution to enforce OTP with Kerberos and alternative with Username Password in one flow. The goal is a working flow which enforces OTP (if enabled in a role) in any case.
We are using Keycloak 25.0.6 as a “plugin”/“app” of UCS (IAM Solution).
I have tried two flows:
1.)
In all cases the authentication flow ends in “Invalid username or password.”
The reason is that the User Name Password Form is “required” and executed always.
In my opinion the username password flow must be conditional and has to be only executed if the other alternatives are unsuccessful… but which condition?
2.)
I have also tried a modified version of the standard browser flow, but this solution only works in the case with kerberos enabled. In the username password case in ends in “Kerberos is not set up. You cannot login.”.
The same problem here, there must be a condition to check if kerberos is present… or reposition it before and execute it only if the outcome of the authentication before was not ok. But how?
Any ideas?
best regards sh