<div dir="ltr"><p style="margin:0px;padding:0px;font-family:Cabin;font-size:13px;line-height:19.5px;border:0px;vertical-align:baseline;color:rgb(61,61,61)">Hi keycloak&#39;s experts,</p><p style="margin:0px;padding:0px;font-family:Cabin;font-size:13px;line-height:19.5px;border:0px;vertical-align:baseline;color:rgb(61,61,61);min-height:8pt"> </p><p style="margin:0px;padding:0px;font-family:Cabin;font-size:13px;line-height:19.5px;border:0px;vertical-align:baseline;color:rgb(61,61,61)">I&#39;m wondering if it&#39;s possible to chain realm&#39;s invocation in keycloak (and also, if it&#39;s a good practice or not).</p><p style="margin:0px;padding:0px;font-family:Cabin;font-size:13px;line-height:19.5px;border:0px;vertical-align:baseline;color:rgb(61,61,61)">The use case is the following :</p><p style="margin:0px;padding:0px;font-family:Cabin;font-size:13px;line-height:19.5px;border:0px;vertical-align:baseline;color:rgb(61,61,61)">     Keycloak is used as an SSO identity server for a set of application with different security policies, but for the same users. (so, same user directory).</p><ul style="margin:0px;padding:0px 0px 0px 30px;font-size:13px;line-height:19.5px;list-style-position:outside;font-family:Cabin;border:0px;vertical-align:baseline;color:rgb(61,61,61)"><ul style="margin:0px;padding:0px 0px 0px 30px;line-height:1.5;list-style-position:outside;font-family:inherit;border:0px;font-weight:inherit;font-style:inherit;vertical-align:baseline"><li style="margin:0.5ex 0px;padding:0px;border:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline;list-style-type:inherit">some applications require only &quot;user / password&quot; authentication.</li><li style="margin:0.5ex 0px;padding:0px;border:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline;list-style-type:inherit">some applications require a second authentication factor. (for example sms, or any other systems).</li></ul></ul><p style="margin:0px;padding:0px;font-family:Cabin;font-size:13px;line-height:19.5px;border:0px;vertical-align:baseline;color:rgb(61,61,61)">     My idea was the following :</p><ul style="margin:0px;padding:0px 0px 0px 30px;font-size:13px;line-height:19.5px;list-style-position:outside;font-family:Cabin;border:0px;vertical-align:baseline;color:rgb(61,61,61)"><ul style="margin:0px;padding:0px 0px 0px 30px;line-height:1.5;list-style-position:outside;font-family:inherit;border:0px;font-weight:inherit;font-style:inherit;vertical-align:baseline"><li style="margin:0.5ex 0px;padding:0px;border:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline;list-style-type:inherit">we&#39;ve a first realm - let&#39;s name it &quot;simple realm&quot;, that require only user / password</li><li style="margin:0.5ex 0px;padding:0px;border:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline;list-style-type:inherit">we&#39;ve a second realm - let&#39;s name it &quot;2fa realm&quot; that require a token from &quot;simple realm&quot; and the second authentication factor.</li><li style="margin:0.5ex 0px;padding:0px;border:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline;list-style-type:inherit">If I connect to an application secured by the &quot;2fa realm&quot;, my application will redirect to the &quot;2fa realm&quot;, then, as it can&#39;t found any simple token, the realm dispatch the invocation to the &quot;simple realm&quot;, and then ask for the second authentication factor.</li></ul></ul><p style="margin:0px;padding:0px;font-family:Cabin;font-size:13px;line-height:19.5px;border:0px;vertical-align:baseline;color:rgb(61,61,61)">So, a user authenticated against the &quot;2fa realm&quot; get two tokens : the simple realm token and the 2FA token.</p><p style="margin:0px;padding:0px;font-family:Cabin;font-size:13px;line-height:19.5px;border:0px;vertical-align:baseline;color:rgb(61,61,61);min-height:8pt"> </p><p style="margin:0px;padding:0px;font-family:Cabin;font-size:13px;line-height:19.5px;border:0px;vertical-align:baseline;color:rgb(61,61,61)">Thanks in advance for your valuable comments , ideas or critics.</p><p style="margin:0px;padding:0px;font-family:Cabin;font-size:13px;line-height:19.5px;border:0px;vertical-align:baseline;color:rgb(61,61,61);min-height:8pt"> </p><p style="margin:0px;padding:0px;font-family:Cabin;font-size:13px;line-height:19.5px;border:0px;vertical-align:baseline;color:rgb(61,61,61)">Best regards.</p><p style="margin:0px;padding:0px;font-family:Cabin;font-size:13px;line-height:19.5px;border:0px;vertical-align:baseline;color:rgb(61,61,61)"><br></p><p style="margin:0px;padding:0px;font-family:Cabin;font-size:13px;line-height:19.5px;border:0px;vertical-align:baseline;color:rgb(61,61,61)">Steve</p></div>