since this was requested multiple times, I implemented a custom OTP Authenticator
that can conditionally show the OTP form over the weekend.
I build something along the lines based on keycloak 1.8 (already adapted this for Keycloak 1.7) which allows you to conditionally require OTP authentication - I can contribute that if desired.
The solution consists of a custom ConditionalOtpFormAuthenticator that extends the OTPFormAuthenticator which can be configured with some conditions via the admin interface.
The decision for whether or not to require OTP authentication can be made based on multiple conditions which are evaluated in the following order. The first matching condition determines the outcome.
The list of supported conditions include:
- User Attribute
- Role
- Request Header
- Configured Default
If no condition matches, the ConditionalOtpFormAuthenticator fallback is to require OTP authentication.
User Attribute:
A User Attribute like otp_auth can be used to control OTP authentication on individual user level. The supported values are skip and force. If the value is set to skip then the OTP auth is skipped for the user, otherwise if the value is force then the OTP auth is enforced. The setting is ignored for any other value.
Role:
A role can be used to control the OTP authentication. If the user has the specified role the OTP authentication is forced. Otherwise if no role is selected the setting is ignored.
Request Header:
Request Headers are matched via regex Patterns and can be specified as a whitelist and blacklist. No OTP for Header specifies the pattern for which OTP authentication is not required. This can be used to specify trusted networks, e.g. via: X-Forwarded-Host: (1.2.3.4|1.2.3.5) where The IPs 1.2.3.4, 1.2.3.5 denote trusted machines. Force OTP for Header specifies the pattern for which OTP authentication is required. Whitelist entries take precedence before blacklist entries.
Configured Default:
A default fall-though behavior can be specified to handle cases where all previous conditions did not lead to a conclusion. An OTP authentication is required in case no default is configured.