MFA (OTP) depending on user / group / role?

catshout · January 19, 2021, 12:34pm

Hi all,

we do have 1 client (application) defined in 1 realm. The customer want’s to enforce MFA (OTP) for dedicated users only. Is there a way do do this? Maybe for groups or roles?

Any hints are appreciated.

Best
Gerald

jangaraj · January 19, 2021, 4:58pm

gist.github.com

https://gist.github.com/thomasdarimont/ad3aa0e36d33d067dba2

ConditionalOtpFormAuthenticator.java

package org.keycloak.authentication.authenticators.browser;

import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;

import javax.ws.rs.core.MultivaluedMap;
import java.util.List;
import java.util.Map;
import java.util.regex.Pattern;

This file has been truncated. show original

ConditionalOtpFormAuthenticatorFactory.java

package org.keycloak.authentication.authenticators.browser;

import org.keycloak.Config;
import org.keycloak.authentication.Authenticator;
import org.keycloak.authentication.AuthenticatorFactory;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.provider.ProviderConfigProperty;

This file has been truncated. show original

helper.java

    // Used in various role mappers
    public static RoleModel getRoleFromString(RealmModel realm, String roleName) {
        String[] parsedRole = parseRole(roleName);
        RoleModel role = null;
        if (parsedRole[0] == null) {
            role = realm.getRole(parsedRole[1]);
        } else {
            ClientModel client = realm.getClientByClientId(parsedRole[0]);
            if (client != null) {
                role = client.getRole(parsedRole[1]);

This file has been truncated. show original

There are more than three files. show original

dasniko · January 19, 2021, 5:00pm

You don’t even need custom code for this. There are conditionals in the authentication flow configuration, depending on roles. So this can be done ootb since version 8 or 9 …!

catshout · January 19, 2021, 5:22pm

Many thanks @jangaraj and @dasniko . In between I did find this …

The “Conditional OTP Authenticator” is now part of Keycloak itself and works.

But I have one issue with that …

When I’m going to assign a user the role “require_otp_role” directly the Conditional OTP works.
When I’m going to add a user to a group that has the role “require_otp_role” assigned the OTP doesn’t work.

We’re using Keycloak 7.0.0. Should I open a ticket for this?

Best
Gerald

catshout · January 20, 2021, 12:12pm

I’ve created a ticket for. See

https://issues.redhat.com/browse/KEYCLOAK-16868

Topic		Replies	Views
MFA based on client IP / subnet	4	2759	January 17, 2023
Issue with Conditional OTP Configuring the server	1	1773	May 3, 2021
Is it possible to enforce 2FA for some users? Getting advice	5	3199	December 16, 2020
Allow users only for specific clients in a given realm Getting advice	11	19967	February 19, 2024
Configure OTP enabled by default Getting advice authentication	0	341	April 3, 2023

MFA (OTP) depending on user / group / role?

Related Topics