Hi keycloak's experts,

I'm wondering if it's possible to chain realm's invocation in keycloak (and also, if it's a good practice or not).

The use case is the following :

     Keycloak is used as an SSO identity server for a set of application with different security policies, but for the same users. (so, same user directory).

• some applications require only "user / password" authentication.
• some applications require a second authentication factor. (for example sms, or any other systems).

     My idea was the following :

• we've a first realm - let's name it "simple realm", that require only user / password
• we've a second realm - let's name it "2fa realm" that require a token from "simple realm" and the second authentication factor.
• If I connect to an application secured by the "2fa realm", my application will redirect to the "2fa realm", then, as it can't found any simple token, the realm dispatch the invocation to the "simple realm", and then ask for the second authentication factor.

So, a user authenticated against the "2fa realm" get two tokens : the simple realm token and the 2FA token.

Thanks in advance for your valuable comments , ideas or critics.

Best regards.

Steve