Multiple authentication methods for a user in Keycloak

Question

I would like to let my users have a choice which authentication method to use. For example, they could be presented with a menu to pick an option (username/pass, username/pass+OTP, etc). Then, Keycloak should, based on their choice, assign specific scope to the token.

Is this possible to do with Keycloak (probably by somehow utilizing auth methods chaining) and how? I couldn’t find this in the documentation but it seems as a reasonable use-case to me.

Answer 1

Here is my solution:

Circled authenticators are custom ones for which I provided a custom implementation. I used the fall-through mechanism, which means I that first authenticator implements a custom form:

which lets the user choose authenticator and captures user's choice in a variable. Later, this variable is used in the following authenticators to decide whether to do the authentication or to pass on control to the next authenticator.

You can read more about Authentication SPI in the following page: https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi

And here you can see how to implement custom authenticator.

Answer 2

Here is what i did and it works,

'My goal was give ability to client to choose authentication flow, choose between otp based email and sms.'

I created a new authentication flow, see screenshot :

select 'Alternative' on both flows.

On login form new link will appear 'try another way'

Now the client can choose between flows. see screenshot :