Hi keycloak's experts,
I'm wondering if it's possible to chain realm's invocation in keycloak (and
also, if it's a good practice or not).
The use case is the following :
Keycloak is used as an SSO identity server for a set of application
with different security policies, but for the same users. (so, same user
directory).
- some applications require only "user / password" authentication.
- some applications require a second authentication factor. (for
example sms, or any other systems).
My idea was the following :
- we've a first realm - let's name it "simple realm", that require
only
user / password
- we've a second realm - let's name it "2fa realm" that require a
token from "simple realm" and the second authentication factor.
- If I connect to an application secured by the "2fa realm", my
application will redirect to the "2fa realm", then, as it can't found
any
simple token, the realm dispatch the invocation to the "simple
realm", and
then ask for the second authentication factor.
So, a user authenticated against the "2fa realm" get two tokens : the
simple realm token and the 2FA token.
Thanks in advance for your valuable comments , ideas or critics.
Best regards.
Steve