I am trying to set up a custom Browser Flow that essentially allows the user to authenticate their 2FA as either OTP or WebAuthN. Where, after submitting the username and password, the users are presented with the two options.
It should always show the choice regardless of their current setup of 2FA. If they have both set up then they can choose either. If they have one set up but not the other, they should have the choice of using the one they already have or they can register with the one they don’t have set up and use that.
Currently I have the following flow set up where I am trying to do this, but with an additional check for an MFA role (Should not matter).
With the setup above if the user does not already have one already set up, it will fail with the following screen even though the username and password is correct:
If I mark the “WebAuthn Authenticator” to disabled it prompts to set up OTP and vice versa for WebAuthn setup.
If the user has only one set up then it automatically prompts for that and never presents the other option. If the user has both set up, Keycloak chooses the first in the list to prompt for without the option to choose.
Is there any way to get something like this set up?