M terraform_keycloak/keycloak.tf => terraform_keycloak/keycloak.tf +79 -1
@@ 29,7 29,8 @@ resource "keycloak_realm" "xenrox" {
login_with_email_allowed = true
password_policy = "length(20) and notUsername"
- browser_flow = "browser"
+ browser_flow = keycloak_authentication_flow.webauthn.alias
+ # browser_flow = "browser"
smtp_server {
host = "mail.xenrox.net"
@@ 82,6 83,83 @@ resource "keycloak_required_action" "webauthn_register" {
enabled = true
}
+# Login flow
+
+resource "keycloak_authentication_flow" "webauthn" {
+ realm_id = "xenrox"
+ alias = "Webauthn"
+ description = "Browser flow with WebAuthn"
+}
+
+resource "keycloak_authentication_execution" "cookie" {
+ realm_id = "xenrox"
+ parent_flow_alias = keycloak_authentication_flow.webauthn.alias
+ authenticator = "auth-cookie"
+ requirement = "ALTERNATIVE"
+
+ depends_on = [keycloak_authentication_flow.webauthn]
+}
+
+resource "keycloak_authentication_execution" "identity_provider_redirector" {
+ realm_id = "xenrox"
+ parent_flow_alias = keycloak_authentication_flow.webauthn.alias
+ authenticator = "identity-provider-redirector"
+ requirement = "ALTERNATIVE"
+
+ depends_on = [keycloak_authentication_execution.cookie]
+}
+
+resource "keycloak_authentication_subflow" "forms" {
+ realm_id = "xenrox"
+ alias = "Forms"
+ parent_flow_alias = keycloak_authentication_flow.webauthn.alias
+ requirement = "ALTERNATIVE"
+
+ depends_on = [keycloak_authentication_execution.identity_provider_redirector]
+}
+
+resource "keycloak_authentication_execution" "username_password_form" {
+ realm_id = "xenrox"
+ parent_flow_alias = keycloak_authentication_subflow.forms.alias
+ authenticator = "auth-username-password-form"
+ requirement = "REQUIRED"
+}
+
+resource "keycloak_authentication_subflow" "conditional_2fa" {
+ realm_id = "xenrox"
+ alias = "Browser - Conditional 2FA"
+ parent_flow_alias = keycloak_authentication_subflow.forms.alias
+ requirement = "CONDITIONAL"
+
+ depends_on = [keycloak_authentication_execution.username_password_form]
+}
+
+resource "keycloak_authentication_execution" "condition" {
+ realm_id = "xenrox"
+ parent_flow_alias = keycloak_authentication_subflow.conditional_2fa.alias
+ authenticator = "conditional-user-configured"
+ requirement = "REQUIRED"
+
+}
+
+resource "keycloak_authentication_execution" "otp_form" {
+ realm_id = "xenrox"
+ parent_flow_alias = keycloak_authentication_subflow.conditional_2fa.alias
+ authenticator = "auth-otp-form"
+ requirement = "ALTERNATIVE"
+
+ depends_on = [keycloak_authentication_execution.condition]
+}
+
+resource "keycloak_authentication_execution" "webauthn" {
+ realm_id = "xenrox"
+ parent_flow_alias = keycloak_authentication_subflow.conditional_2fa.alias
+ authenticator = "webauthn-authenticator"
+ requirement = "ALTERNATIVE"
+
+ depends_on = [keycloak_authentication_execution.otp_form]
+}
+
resource "keycloak_group" "admin" {
realm_id = "xenrox"
name = "Admin"