I would like to have some advice from you to determine what is the best way to enable an OTP validation only for a specific action.
Indeed, in my app I will probably enable the OTP check for one action (data export or whatever button action). In some previous topics and on YT channel of @dasniko I saw some examples of conditional OTP based on roles and/or http headers but only for the authentication step.
I hope I didn’t miss some information in this discourse.
Do you have a little idea to implement correctly this need?
Keycloak does authentication. What you want to do is authorization. Keycloak does not know about your applications actions and is not involved in the execution of your applications actions.
Either, you have to reimplement OTP behavior in your app, or you could (mis-)use Step-Up Authentication, where your app requires a specific level-of-authentication (loa) through acr claims. See docs for more information. But step-up is only possible time-based, not (trans-)action based!
Indeed, it was also my conclusion yesterday after searching some solutions. I will take a look about acr claims and the related specific level authorization.