I have 3 MFA Options (as user attribute, each user have a mfa_option), such as SMS, Email and TOTP. I made a custom browser with conditions to achieve this: if the user has SMS as attribute, enters into the SMS section. Email: enters in email section, etc. But its not working, it just gives a Acess Denided error….what is causing this?
Your conditions will not be evaluated if the subflow is an alternative subflow. Conditions are only evaluated, if the surrounding subflow is of type conditional.
Like this? it gave me another error: Cannot login, credential setup required. I also tried with the MFA Selection Sub-Flow as Conditional, and it just directly logins
Of course, as this subflow does not have a condition.
Unfortunately you gave us no additional information, like how is your current user, with which you tested is configured (attributes) and how are your conditions configured. So we don’t know what you expect and where the error might occur.
I just try to deviate the cause… it’s likely that it occurs, as you use the OTP authenticator, not OTP Form. The OTP tries to get the information from the request and has no form.
Please consult also the documentation, where you can get a lot of information about authentication flows.
1 Like
Thanks, it worked. The problem was with that OTP, I needed the OTP FORM, now its all working. This is how my keycloak is configured:
User has a attribute named mfa_option, and it is configured outside keycloak via an API, and can have one of these 3 values: SMS, Email, TOTP. Then, the browser flow has those 3 conditional sections that verifies the value of that field. Thanks, help a lot!
Here’s an example of one of the 3 conditions I have.
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.