Hello group,

this is my first post on this mailinglist and I want to say thank you for this awesome project!

I had a look at many IDM / SSO solutions before and Keycloak provided the best out-of-the box

experience so far!

I posted the following in the JIRA initially but Stian Thorgersen asked me to post this

on the mailing list as well.

Scenario:

Support for conditional AuthenticationFlowExecution.

Often some authentication flow steps should only be executed under certain conditions,

e.g. somtimes a TOTP based auth step is only required of requests come with a

certain request header value.

It would be cool if one could configure a condition on the AuthenticationFlowExecution

(if I'm not mistaken) that if evaluated to true would execute or skip a particular authentication step.

This could perhaps be configured via the admin console in the Authentication -> Flows tab.

Conditions could perhaps be simple JavaScript expressions that could be evaluated via the built-in JavaScript ScriptEngine.

For this it would be useful to provide a set of "standard" functions that can be called from the expressions (perhaps based on a whitelist).

Admins should also be able to define their custom functions.

The context could provide access to the current http request, current user, the requested client application and perhaps the keycloak configuration.