since this was requested multiple times, I implemented a
custom OTP Authenticator
that can conditionally show the OTP form over the weekend.
I build something along the lines based on keycloak 1.8
(already adapted this for Keycloak 1.7) which allows you to
conditionally require OTP authentication - I can contribute
that if desired.
The solution consists of a custom
ConditionalOtpFormAuthenticator that extends the
OTPFormAuthenticator which can be configured with some
conditions via the admin interface.
The decision for whether or not to require OTP
authentication can be made based on multiple conditions
which are evaluated in the following order. The first
matching condition determines the outcome.
The list of supported conditions include:
- User Attribute
- Role
- Request Header
- Configured Default
If no condition matches, the
ConditionalOtpFormAuthenticator fallback is to require OTP
authentication.
User Attribute:
A User Attribute like otp_auth can be used to control OTP
authentication on individual user level. The supported
values are skip and force. If the value is set to skip then
the OTP auth is skipped for the user, otherwise if the value
is force then the OTP auth is enforced. The setting is
ignored for any other value.
Role:
A role can be used to control the OTP authentication. If
the user has the specified role the OTP authentication is
forced. Otherwise if no role is selected the setting is
ignored.
Request Header:
Request Headers are matched via regex Patterns and can be
specified as a whitelist and blacklist. No OTP for Header
specifies the pattern for which OTP authentication is not
required. This can be used to specify trusted networks, e.g.
via: X-Forwarded-Host: (1.2.3.4|1.2.3.5) where The IPs
1.2.3.4, 1.2.3.5 denote trusted machines. Force OTP for
Header specifies the pattern for which OTP authentication is
required. Whitelist entries take precedence before blacklist
entries.
Configured Default:
A default fall-though behavior can be specified to handle
cases where all previous conditions did not lead to a
conclusion. An OTP authentication is required in case no
default is configured.