Issue with Conditional OTP


I’m totally confused with the conditional flow… I’m looking to make a conditional flow where keycloak has to decide which MFA to use GAuth or SMS or totally skip MFA

The base flow I want is

  1. If user is in OTP_SMS role then use SMS MFA
  2. if user is OTP_DISABLED role then skip
  3. for all others use GAuth

I tried different flow combinations unsuccessfully… also had trouble with “Conditional OTP Form” for the disabled role so I created a provider for “User not in role

The first flow I did was the pic-1 but it didn’t accomplish what I wanted, the issues were

  1. SMS flow is executed but then the user is asked for GAuth OTP
  2. If a user has no OTP configured and doesn’t belong to any exception roles; he’s not asked to configure OTP and instead he’s logged in successfully…

This is the latest flow I came up with… and it has several issues

  1. the SMS flow is executed even if the user is not OTP_SMS role!
  2. Users that must use GAuth are only prompted for SMS code!
  3. users in OTP_DISABLED are prompted for Gauth configuration…


Turning on debug mode shows that the condition “User IN Role” is not even executed, the flow goes directly from auth-username-password-form to sms-authenticator without executing the condition…

Any help would be appreciated

finally managed to get it working, in case anyone wants to see the flow