This plugin brings Conditional OTP to the Direct Grant.
Mix between native plugins:
- keycloak/keycloak/services/src/main/java/org/keycloak/authentication/authenticators/directgrant/ValidateOTP.java
- keycloak/keycloak/services/src/main/java/org/keycloak/authentication/authenticators/browser/ConditionalOtpFormAuthenticator.java
Inspired by: https://github.com/lukaszbudnik/keycloak-ip-authenticator
Use case:
- When IP whitelisting passes, set user attribute:
ip_based_otp_conditional=skip
elseip_based_otp_conditional=force
- Configure this module to be conditional on this user attribute (OTP control User Attribute)
Also see our extended version of keycloak-ip-authenticator.