Description

Keycloak currently provides the ability to use the ACR claim to perform step-up authentication, allowing applications to request stronger authentication in particular situations. However, this is hierarchical and limited to performing additional authentication steps within the same flow. In some cases, an organization may require users to perform entirely different flows based on the resources they are accessing.

This feature request is to expand this capability to enable administrators to map ACR values in authorization requests to authentication flows. More details can be found in the discussion topic below.

Discussion

#24023

Motivation

The current ACR implementation for level of authentication is only suitable if the authentication methods an organization accepts are hierarchical. For example, an organization may allow password authentication for user functions but require an additional OTP authenticator for admin functions.

The company I work for currently has the need to route users to entirely different authentication flows based on the resources they are trying to access. Based on organizational policy, a user accessing resource A may be allowed to use password authentication, however, resource B strictly does not allow password authentication, and therefore, the user would need to be routed to an entirely different flow.

Details

See the discussion topic above for additional notes on the proposed implementation.