Skip to main content

Email Based Authentication

Page Background: In this document we would discuss the email based authentication via KeyCloak.


  • This authenticator's default setting is ALTERNATIVE.

  • If an SMTP setup is established for the realm, then {project name} utilises this authenticator.

  • In this authentication type, an email will be sent to the user to confirm, if they would like to associate their provider with their account.

  • If you require users to authenticate using their password yet do not want linkage confirmation through email, deactivate this authentication process.

AuthType: Forms

First log into your KeyCloak administration and then click on the Authentication link in the left side menu. You will see a page as shown in the screenshot below:

Now under the Auth Type Forms, Mark it as required. (By default it is marked as alternative). If this sub-flow is designated as an alternative and won't be carried out if the Cookie authentication type is successful.

Browser Conditional OTP sub-flow

By default, this sub-flow is conditional and runs in accordance with the outcome of the execution of the Condition - User Configured. If the outcome is true, Keycloak gets and executes the operations for this sub-flow.

User Configured Authentication and OTP Form

The Condition - User Configured authentication is the following operation. This authentication checks to see whether Keycloak has set up additional processes for the user in the flow. Only when the user has an OTP credential setup does the Browser - Conditional OTP sub-flow run.

The OTP Form is used as the last operation. Keycloak flags this execution as necessary, but due to the configuration in the conditional sub-flow, it only executes when the user has an OTP credential set up. Otherwise, the user is not shown an OTP form.