1 files changed, 79 insertions(+), 1 deletions(-)

M terraform_keycloak/keycloak.tf

@@ 29,7 29,8 @@ resource "keycloak_realm" "xenrox" {
   login_with_email_allowed = true
   password_policy          = "length(20) and notUsername"
 
-  browser_flow = "browser"
+  browser_flow = keycloak_authentication_flow.webauthn.alias
+  # browser_flow = "browser"
 
   smtp_server {
     host                  = "mail.xenrox.net"


@@ 82,6 83,83 @@ resource "keycloak_required_action" "webauthn_register" {
   enabled  = true
 }
 
+# Login flow
+
+resource "keycloak_authentication_flow" "webauthn" {
+  realm_id    = "xenrox"
+  alias       = "Webauthn"
+  description = "Browser flow with WebAuthn"
+}
+
+resource "keycloak_authentication_execution" "cookie" {
+  realm_id          = "xenrox"
+  parent_flow_alias = keycloak_authentication_flow.webauthn.alias
+  authenticator     = "auth-cookie"
+  requirement       = "ALTERNATIVE"
+
+  depends_on = [keycloak_authentication_flow.webauthn]
+}
+
+resource "keycloak_authentication_execution" "identity_provider_redirector" {
+  realm_id          = "xenrox"
+  parent_flow_alias = keycloak_authentication_flow.webauthn.alias
+  authenticator     = "identity-provider-redirector"
+  requirement       = "ALTERNATIVE"
+
+  depends_on = [keycloak_authentication_execution.cookie]
+}
+
+resource "keycloak_authentication_subflow" "forms" {
+  realm_id          = "xenrox"
+  alias             = "Forms"
+  parent_flow_alias = keycloak_authentication_flow.webauthn.alias
+  requirement       = "ALTERNATIVE"
+
+  depends_on = [keycloak_authentication_execution.identity_provider_redirector]
+}
+
+resource "keycloak_authentication_execution" "username_password_form" {
+  realm_id          = "xenrox"
+  parent_flow_alias = keycloak_authentication_subflow.forms.alias
+  authenticator     = "auth-username-password-form"
+  requirement       = "REQUIRED"
+}
+
+resource "keycloak_authentication_subflow" "conditional_2fa" {
+  realm_id          = "xenrox"
+  alias             = "Browser - Conditional 2FA"
+  parent_flow_alias = keycloak_authentication_subflow.forms.alias
+  requirement       = "CONDITIONAL"
+
+  depends_on = [keycloak_authentication_execution.username_password_form]
+}
+
+resource "keycloak_authentication_execution" "condition" {
+  realm_id          = "xenrox"
+  parent_flow_alias = keycloak_authentication_subflow.conditional_2fa.alias
+  authenticator     = "conditional-user-configured"
+  requirement       = "REQUIRED"
+
+}
+
+resource "keycloak_authentication_execution" "otp_form" {
+  realm_id          = "xenrox"
+  parent_flow_alias = keycloak_authentication_subflow.conditional_2fa.alias
+  authenticator     = "auth-otp-form"
+  requirement       = "ALTERNATIVE"
+
+  depends_on = [keycloak_authentication_execution.condition]
+}
+
+resource "keycloak_authentication_execution" "webauthn" {
+  realm_id          = "xenrox"
+  parent_flow_alias = keycloak_authentication_subflow.conditional_2fa.alias
+  authenticator     = "webauthn-authenticator"
+  requirement       = "ALTERNATIVE"
+
+  depends_on = [keycloak_authentication_execution.otp_form]
+}
+
 resource "keycloak_group" "admin" {
   realm_id = "xenrox"
   name     = "Admin"