Conditional OTP authentication:

# Scenario Setup
## Run Keycloak with the custom authentication provider.
## Create a new realm `dynamic-otp-test`.
## Create a new realm role `require_otp_auth`.
## Create a new test user `otp`
## Goto Authentication -> Flows -> Select `Browser`.
### Click on `copy`
### Name the new flow `browser dynamic otp`
### Click on `actions` in the line `Browser Dynamic Otp Forms`
### Add execution: `Conditional OTP Form`.
### Disable the `OTP Form`
### Mark the `Conditional OTP Form` as `required`.
### Click on `Actions` -> `configure` for the `Conditional OTP Form`
#### Give it the alias `Conditional OTP Authentication`
#### Select the `require_otp_role` from the `Force OTP for Role`
#### Configure the `Fallback OTP handling` to `skip`
## Goto `Bindings`
### Select `browser dynamic otp` for the `browser flow`

# Scenario Test
## As the user `otp` with no role assigned
### Try login to the account application (tipp: use incognito mode / private browsing)
### http://yourhost:port/auth/realms/dynamic-otp-test/account
### Enter username / password
### Register OTP device.
### Logout
### Login again

... try the various options of the Conditional OTP Authenticator.

I recommend the chrome ModHeader Plugin to test the header based patterns.