<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Whoops, ou already submitted a PR! :)<br>
<br>
<div class="moz-cite-prefix">On 1/11/2016 12:39 PM, Bill Burke
wrote:<br>
</div>
<blockquote cite="mid:5693E8B4.1030007@redhat.com" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
Thats cool! Thanks. Something we've been wanting to add. If you
want to submit a PR we would welcome it.<br>
<br>
<div class="moz-cite-prefix">On 1/11/2016 9:58 AM, Thomas Darimont
wrote:<br>
</div>
<blockquote
cite="mid:CAK-7U1hu9DpTO5V3PgFNWCaV224S1QUt9nmL3gQsrLBWq4iyug@mail.gmail.com"
type="cite">
<div dir="ltr">Hello,
<div><br>
</div>
<div>since this was requested multiple times, I implemented a
custom OTP Authenticator </div>
<div>that can conditionally show the OTP form over the
weekend.</div>
<div><br>
</div>
<div>You can find more details in the following JIRA issue: </div>
<div><a moz-do-not-send="true"
href="https://issues.jboss.org/browse/KEYCLOAK-2040">https://issues.jboss.org/browse/KEYCLOAK-2040</a></div>
<div><br>
</div>
<div>
<div>I build something along the lines based on keycloak 1.8
(already adapted this for Keycloak 1.7) which allows you
to conditionally require OTP authentication - I can
contribute that if desired.</div>
<div>The solution consists of a custom
ConditionalOtpFormAuthenticator that extends the
OTPFormAuthenticator which can be configured with some
conditions via the admin interface.</div>
<div>The decision for whether or not to require OTP
authentication can be made based on multiple conditions
which are evaluated in the following order. The first
matching condition determines the outcome.</div>
<div>The list of supported conditions include:</div>
<div>- User Attribute</div>
<div>- Role</div>
<div>- Request Header</div>
<div>- Configured Default</div>
<div>If no condition matches, the
ConditionalOtpFormAuthenticator fallback is to require OTP
authentication.</div>
<div><br>
</div>
<div>User Attribute:</div>
<div>A User Attribute like otp_auth can be used to control
OTP authentication on individual user level. The supported
values are skip and force. If the value is set to skip
then the OTP auth is skipped for the user, otherwise if
the value is force then the OTP auth is enforced. The
setting is ignored for any other value.</div>
<div><br>
</div>
<div>Role: </div>
<div>A role can be used to control the OTP authentication.
If the user has the specified role the OTP authentication
is forced. Otherwise if no role is selected the setting is
ignored.</div>
<div><br>
</div>
<div>Request Header: </div>
<div>Request Headers are matched via regex Patterns and can
be specified as a whitelist and blacklist. No OTP for
Header specifies the pattern for which OTP authentication
is not required. This can be used to specify trusted
networks, e.g. via: X-Forwarded-Host: (1.2.3.4|1.2.3.5)
where The IPs 1.2.3.4, 1.2.3.5 denote trusted machines.
Force OTP for Header specifies the pattern for which OTP
authentication is required. Whitelist entries take
precedence before blacklist entries.</div>
<div><br>
</div>
<div>Configured Default:</div>
<div>A default fall-though behavior can be specified to
handle cases where all previous conditions did not lead to
a conclusion. An OTP authentication is required in case no
default is configured.</div>
<div><br>
</div>
<div>The code can be found here <a moz-do-not-send="true"
href="https://github.com/thomasdarimont/keycloak/tree/issue/KEYCLOAK-2040-Conditional-OTP-Authentication">https://github.com/thomasdarimont/keycloak/tree/issue/KEYCLOAK-2040-Conditional-OTP-Authentication</a>
- I can make a PR if this has a chance to get in.</div>
<div><br>
</div>
</div>
<div>Cheers</div>
<div>Thomas</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-dev mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Bill Burke
JBoss, a division of Red Hat
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Bill Burke
JBoss, a division of Red Hat
<a class="moz-txt-link-freetext" href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></pre>
</body>
</html>