I am trying to build a custom Browser Authentication flow where the conditional OTP is based on not just one role but multiple roles.
I know there exists a “Condition - user role” step but this only allows a radio button selection of one role. Our system has upwards of 30 different roles with certain roles requiring MFA to log in. It would be ridiculous and unmaintainable to add a role check for each individual role that requires MFA.
I also know that we have the option to add yet another role specific to “MFA” and only base the flow off of that. However, it is not ideal given this is now a Keycloak only role whereas we currently have application and Keycloak roles the same and in sync.
Is there a way to base this condition off of a group or group attribute? Any help or suggestions to implement the above in out of the box Keycloak features would be appreciated. We really don’t want to have to implement an SPI for this if we can help it.