[keycloak-user] How does conditional OTP form work?

Stian Thorgersen sthorger at redhat.com
Wed Nov 9 09:10:08 EST 2016

We're currently looking at the conditional otp form as it seems to be
broken. The way it should work is if it's required it's required only if
otp is required depending on roles and headers. If it's optional it should
only be required if user has configured OTP.

On 9 November 2016 at 14:36, Georgobasiles, Georgios (AMOS SE) <
GEORGIOS.GEORGOBASILES at allianz.de> wrote:

> Dear all,
> I’m trying out a scenario where users are forced into different login
> flows depending on their browser’s user agent HTTP header: all users have
> to log in over a SAML IP and, in addition, users who don’t use IE need to
> go through an OTP form.
> I’ve set up a SAML IP with a post login flow that consists of a single
> “Conditional OTP Form” execution. For test purposes, the only condition in
> that execution is a “Skip OTP for Header” which is “User-Agent:.*MSIE.*”
> with a fallback OTP handling to “force”.
> I noticed that when the execution is marked as “required”, an OTP form is
> always shown to the user regardless of their browser’s user agent and when
> it’s marked as “optional”, the user never gets to see the OTP form, so it
> looks like the condition on the HTTP header is always ignored. What am I
> missing?
> version: 2.3.0 final
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list