OTP Configuration

I have a problem with setting OTP flow in Keycloak.

-When User1 with roles: ,role1, has set ,Required User Actions, to ,Configure OTP)
-After log In via Google and in post flow is sets ,Conditional OTP Form (REQUIRED), to Skip OTP for Role = role1
-The keycloak skips the OTP first configuration and ,Required User Actions, disappears from user.

Can it be solved so that it does not disappear?

,Required User Actions, I would need to have the user set up in case he logs in the second way via LDAP.
Alternatively, the solution would be for the google login to allow OTP to be set up for the first time.

If I understood correctly, you have:

  • google as identity provider.
  • Post login flow set to a flow with a OTP form disable for role1

This is because you want to avoid OTP configuration for users with role1.

But, if this is the case, why do you set “Configure OTP” for that users in the first place?

I believe that required actions are cleaned when the users logs in. If you don’t have an execution in the flow to get that flag, it is reset after a successful login.

It is more complicated.
User1 has two way to login

  1. via LDAP User Federation (All users are imported)
  2. via Google provider (after first login is user associated with existing LDAP user)

For LDAP login want to use login with OTP verification
For Google login (using native Google 2FA and OTP we do not want to use)

Now how to set it up? Because when user login via Google first so ,Required User Actions, disappears from user.
When user login first via LDAP so OTP is configured perfect.

I suppose you can force users to do a LDAP login right after the first google login. That way, you can force them to configure OTP.

But you can disable OTP on next logins if google provider is used.

Create an authentication flow to be the “First Login Flow” for the google provider. In that flow, you force users to reauthenticate and configure OTP after successful google login.

I understand what you mean by the description, but so far I have not been able to create a functional flow :frowning:

I seems that have a solution.
As Google provider post flow use:
Conditional OTP Form as REQUIRED
Skip OTP for Role - set-role-for-skip
Fallback OTP handling - force

1 Like