How to setup 2 Step Authentication in KeyCloak with custom DB authentication

HI, I am using Application Database Authentication with keycloak implemented using SPI through OIDC protocol(password grant, keycloak login screen are not used here). I would like to know how to setup 2 step authenitcation, 1st the user credentilas must be validated with DB and only then OTP should be sent to User Mobile and when request comes with OTP, it should be validated. How to setup this flow



I faced a similar problem when trying to integrate a 2FA authentication on keycloak. I realized that I had to develop my own Authenticator SPI.
How ever I relied on keycloak for the first step authentication (user/pwd).

I can suggest the following approach in your case

  1. create a custom authenticator for the first step : the user/password keycloak form can be used to received this info and the custom authenticator will get this form params and check against the custom DB then respond ok or ko
  2. then, as second custom authenticator is triggered and its implementation will do
    • if the acr_values does not requests a 2FA then return ok
    • else, present the OTP form to the user and wait for the response and if the OTP is valid respond ok, else ko

I use the npm package keycloak-rest-authenticator.
It provide an external way to make custom authentication (and therefore reach your own database)

Feel free to contact me to look into it. I would glad to help