We plan to add support for "acr" from OIDC specification. See https://issues.jboss.org/browse/KEYCLOAK-3314 .

Until that, you can possibly use some workaround and add your own authentication flow with authenticator implementations. For example based on redirect_uri (which will be different for more "secure" part of your application) you will allow (or not allow) cookie authentication and for the more secure part, you will ensure that OTP authenticator is used.

Marek

On 01/09/16 16:54, Steve Favez wrote:

Dear all,
I need to implement the following use case.

My web application is authenticated against a given realm on keycloak, using a simple user / password authentication model. But a part of my web app would require a stronger authentication mechanism (a second factor in fact) based on the current user.

What's the "best" solution using keycloak ? I was thinking of two different solutions

1. add an attibute in my OIDC token that could be named "level", and having an adapter that would check the level of the token, and if not corresponding, redirect to the realm that would ask for the second factor of authentication

2. Create a "2FA" realm,that would rely on the simple authentication realm... but is it possible in the same web app (I mean, to use two realms)

Open to any ideas

Thanks

St
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user