Closed svenseeberg closed 1 month ago
Hey @svenseeberg , nothing to do with your topic but maybe could you share your flow configuration to get the screenshot? Currently my configuration looks like this:
But for some reason i only see Passkey/FIDO2 as an option to choose.
Would highly appreciate an answer :)
Hey @beezerk23,
when you see only Passkey as an option, the reason might be that the user already set up Passkey as 2FA. Please make sure that all 2FA methods are removed from the user account. Then during next login, you see the 2FA enforcement dialog after you submitted the password.
See also this (in the screenshot the second subflow should be actually conditional and not required): https://github.com/netzbegruenung/keycloak-mfa-plugins/tree/main/enforce-mfa#how-to-use-this-authenticator
Hey @melegiul, where can i check if the user has already 2FA set? Its a completely new user so i think that will not be the case but just to be sure i would like to check.
I think my configuration is exactly the same as in the screenshot you shared. Can you elaborate a bit more what i may miss?
Yes, sure. You can make sure which 2FA are set for a user in the admin console. They would be listed under the password.
Another thing you should be aware of is, that the list of choices represents "required actions triggers". So you should also make sure that all related required actions are enabled on this page also in admin console: /admin/master/console/#/master/authentication/required-actions
.
@melegiul That was it. I needed to activate the phone number action on required action. Now the SMS option is showing. Thanks!
Im glad to hear that. You are welcome.
The TOTP option seems to show a very generic title from https://github.com/keycloak/keycloak/blob/main/themes/src/main/resources-community/theme/base/email/messages/messages_de.properties#L29 instead of https://github.com/netzbegruenung/keycloak-mfa-plugins/blob/main/enforce-mfa/src/main/resources/theme-resources/messages/messages_de.properties#L5
Example:
Yes, that is right. It seems like we must take care ourselves to avoid any key conflicts with other SPIs. Actually only themes can override. https://github.com/keycloak/keycloak/issues/11186#issuecomment-1111819696
The TOTP option seems to show a very generic title from https://github.com/keycloak/keycloak/blob/main/themes/src/main/resources-community/theme/base/email/messages/messages_de.properties#L29 instead of https://github.com/netzbegruenung/keycloak-mfa-plugins/blob/main/enforce-mfa/src/main/resources/theme-resources/messages/messages_de.properties#L5
Example: