feat: add step up auth flow in keycloak example

2026-04-25 17:25:21 +02:00 · 2025-08-08 15:02:35 +02:00
parent a31eb7dbf7
commit 387ea2ea1f
1 changed files with 143 additions and 1 deletions
--- a/deployments/examples/ocis_keycloak/config/keycloak/ocis-realm.dist.json
+++ b/deployments/examples/ocis_keycloak/config/keycloak/ocis-realm.dist.json
@@ -1076,6 +1076,7 @@
        "email"
      ],
      "optionalClientScopes": [
+        "acr",
        "address",
        "phone",
        "offline_access",
@@ -1136,6 +1137,7 @@
        "email"
      ],
      "optionalClientScopes": [
+        "acr",
        "address",
        "phone",
        "offline_access",
@@ -1288,6 +1290,7 @@
        "email"
      ],
      "optionalClientScopes": [
+        "acr",
        "address",
        "phone",
        "offline_access",
@@ -2157,6 +2160,128 @@
  "internationalizationEnabled": false,
  "supportedLocales": [],
  "authenticationFlows": [
+    {
+      "id" : "5392b282-096e-4994-a3ad-780eb4023d27",
+      "alias" : "step up flow",
+      "description" : "browser login flow with step-up mechanism",
+      "providerId" : "basic-flow",
+      "topLevel" : true,
+      "builtIn" : false,
+      "authenticationExecutions" : [
+        {
+          "authenticator" : "auth-cookie",
+          "authenticatorFlow" : false,
+          "requirement" : "ALTERNATIVE",
+          "priority" : 20,
+          "autheticatorFlow" : false,
+          "userSetupAllowed" : false
+        },
+        {
+          "authenticator" : "auth-spnego",
+          "authenticatorFlow" : false,
+          "requirement" : "DISABLED",
+          "priority" : 25,
+          "autheticatorFlow" : false,
+          "userSetupAllowed" : false
+        },
+        {
+          "authenticator" : "identity-provider-redirector",
+          "authenticatorFlow" : false,
+          "requirement" : "ALTERNATIVE",
+          "priority" : 30,
+          "autheticatorFlow" : false,
+          "userSetupAllowed" : false
+        },
+        {
+          "authenticatorFlow" : true,
+          "requirement" : "ALTERNATIVE",
+          "priority" : 31,
+          "autheticatorFlow" : true,
+          "flowAlias" : "base step up",
+          "userSetupAllowed" : false
+        }
+      ]
+    },
+    {
+      "id" : "00e79c8a-93b3-4c0d-857f-7bf5be19d0cb",
+      "alias" : "base step up",
+      "description" : "base step up flow",
+      "providerId" : "basic-flow",
+      "topLevel" : false,
+      "builtIn" : false,
+      "authenticationExecutions" : [
+        {
+          "authenticatorFlow" : true,
+          "requirement" : "CONDITIONAL",
+          "priority" : 2,
+          "autheticatorFlow" : true,
+          "flowAlias" : "step up level 1",
+          "userSetupAllowed" : false
+        },
+        {
+          "authenticatorFlow" : true,
+          "requirement" : "CONDITIONAL",
+          "priority" : 3,
+          "autheticatorFlow" : true,
+          "flowAlias" : "step up level 2",
+          "userSetupAllowed" : false
+        }
+      ]
+    },
+    {
+      "id" : "32ec29d9-dd12-45ce-bdbc-3e597aca4b51",
+      "alias" : "step up level 1",
+      "description" : "loa 1 with username and password",
+      "providerId" : "basic-flow",
+      "topLevel" : false,
+      "builtIn" : false,
+      "authenticationExecutions" : [
+        {
+          "authenticatorConfig" : "loa level 1",
+          "authenticator" : "conditional-level-of-authentication",
+          "authenticatorFlow" : false,
+          "requirement" : "REQUIRED",
+          "priority" : 0,
+          "autheticatorFlow" : false,
+          "userSetupAllowed" : false
+        },
+        {
+          "authenticator" : "auth-username-password-form",
+          "authenticatorFlow" : false,
+          "requirement" : "REQUIRED",
+          "priority" : 1,
+          "autheticatorFlow" : false,
+          "userSetupAllowed" : false
+        }
+      ]
+    },
+    {
+      "id" : "b8c46bfb-cf9e-414a-a773-b17e0fdaa475",
+      "alias" : "step up level 2",
+      "description" : "loa 2 with totp",
+      "providerId" : "basic-flow",
+      "topLevel" : false,
+      "builtIn" : false,
+      "authenticationExecutions" : [
+        {
+          "authenticatorConfig" : "loa level 2",
+          "authenticator" : "conditional-level-of-authentication",
+          "authenticatorFlow" : false,
+          "requirement" : "REQUIRED",
+          "priority" : 0,
+          "autheticatorFlow" : false,
+          "userSetupAllowed" : false
+        },
+        {
+          "authenticator" : "auth-otp-form",
+          "authenticatorFlow" : false,
+          "requirement" : "REQUIRED",
+          "priority" : 1,
+          "autheticatorFlow" : false,
+          "userSetupAllowed" : false
+        }
+      ]
+    },
    {
      "id": "8964f931-b866-4a05-ab1c-89331a566887",
      "alias": "Account verification options",
@@ -2683,6 +2808,22 @@
      "config": {
        "update.profile.on.first.login": "missing"
      }
+    },
+    {
+      "id" : "5b7b9811-6a2d-47ba-8722-7a4a5cb67cc3",
+      "alias" : "loa level 2",
+      "config" : {
+        "loa-condition-level" : "2",
+        "loa-max-age" : "36000"
+      }
+    },
+    {
+      "id" : "fc6ac583-5601-4c97-a57b-3b044dc4007f",
+      "alias" : "loa level 1",
+      "config" : {
+        "loa-condition-level" : "1",
+        "loa-max-age" : "36000"
+      }
    }
  ],
  "requiredActions": [
@@ -2779,7 +2920,8 @@
    "oauth2DeviceCodeLifespan": "600",
    "parRequestUriLifespan": "60",
    "clientSessionMaxLifespan": "0",
-    "organizationsEnabled": "false"
+    "organizationsEnabled": "false",
+    "acr.loa.map" : "{\"regular\":\"1\",\"advanced\":\"2\"}"
  },
  "keycloakVersion": "25.0.0",
  "userManagedAccessAllowed": false,