something similar to what you want is already available in Keycloak.
Look for the "Conditional OTP Form" in the "Create Authenticator
when you create a new Authenticator Execution.
The implementation can be found in the keycloak-services module:
2016-12-14 14:06 GMT+01:00 Steve Favez <favez.steve(a)gmail.com>:
I'd like to implement the following use case. I need a Browser
authentication flow that will add, after User / Password Form
Authenticator, a kind of "access rules" authenticator, that will, according
to some request parameters, (for example, ip address, or application) will
add dynamically a second factor authenticator in the flow. (Like OTP or
Furthermore, I'd like to be able to provide a choice of 2FA systems to the
end user (For example, we provide a set of second factory, and the end user
can choose the one he'd like to use).
So, if some "strong authentication" criteria are matched during browser
authentication process, after providing user and password, user will get a
form allowing him to choose the second factory system he'd like to use to
My goal is to be able to reuse existing authenticator. (So, not to write a
big 2fa authenticator with all authenticators duplicated inside).
Thanks in advance for your valuable input
keycloak-user mailing list