Multiple security stages

Hi, I’m quite new to keycloak, so please excuse my probably stupid question. Unfortunately I cannot figure how to properly configure keycloak to match the requirements.

I have an angular application that consists of multiple layers, for “public”, “authenticated” and “trusted” users. “Public” is accessible for everyone and does not need any authentication - this works since I just don’t request keycloak.

Authenticated should only request the user to sign up and have a password.
Trusted users must have a password and a verified phone number.

Now my problem:
I can only configure one flow independent of where I am on my application. Can I somehow specify a specific flow for each authenticate request or how do I configure this properly?

Thanks in advance

It is not clear what “stage” means in your case. Let’s guess it’s an app route. So just apply proper guard/authorization for each app route. Implementation is really Angular based, so this is not a good forum for this question - quick idea angular-auth-oidc-client/ at main · damienbod/angular-auth-oidc-client · GitHub

I have an angular application - yes, so i have multiple routes, yes - let’s say the following:
/home (for public)
/account (for authenticated)
/buy (for trusted)

Right now I’m basically checking if a user is authenticated and if he’s not i redirect him to keycloak where he authenticates - so far so good.
My problem is that this redirect to keycloak has no context or similar. I only have one flow for keycloak, but I need one for just password authentication and one for password auth plus SMS auth.

I do not know how to configure keycloak to have multiple flows that can be used by redirection, controlled from the outside.

bump - does noone have an idea?

You could use different realms for each route. In each realm you could use different authentication flow.

Maybe two different clients would be better than two different realm, there is an option in keycloak to make a specific flow per client (overriding the default one)

1 Like

@Cyben is it somehow possible to automatically switch between profiles depending on the url?

Didn’t quite understand you, what do you mean by profile?

By the way, take a look at this code:

Really simple one, what I have done there is I’m using the authorization code flow, but you could use something else,
But the main thing there, that maybe you should check out is in the backend
There is a public api endpoint so everyone could access it, and there is a protected one.
For the protected one there I made an option for only authentication, or for authorization by any claim.

So if we will take it to your situation,
You could try to make:

  • public route for everyone
  • protected for authenticated users
  • protected for authorized users (when you get their token check for example if they have the claim ‘trusted’ with the value ‘true’

Hope you got it.
And there is no need for different flows for this implementation.

By the way, maybe this is what you are looking for:

I’m not sure if it works, never tried it but sounds good.