Skip to content

Instantly share code, notes, and snippets.

@sts
Last active June 18, 2024 11:51
Show Gist options
  • Save sts/4c6f8fa759cec88197ca6dfcf306c391 to your computer and use it in GitHub Desktop.
Save sts/4c6f8fa759cec88197ca6dfcf306c391 to your computer and use it in GitHub Desktop.
Keycloak OTP Validation API
BASE_URL=https://localhost:8081/auth
CLIENT_ID=curl-test
CLIENT_SECRET=
USERNAME=
PASSWORD=
REALM=validation-test
OTP_CODE=027253
# OpenID Access Token via "Resource Owner Password Credentials Grant"
# https://tools.ietf.org/html/rfc6749#section-4.3
ACCESS_TOKEN=$(curl -s scope=openid \
--data-urlencode client_id=$CLIENT_ID \
--data-urlencode client_secret=$CLIENT_SECRET \
-d grant_type=password \
--data-urlencode username=$USERNAME\
--data-urlencode password=$PASSWORD \
$BASE_URL/realms/$REALM/protocol/openid-connect/token \
| python -c 'import sys, json; print json.load(sys.stdin)["access_token"]')
## Validate otp token with custom credential validation endpoint
curl -v \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d "[{"\""type"\"":"\""totp"\"","\""value"\"":"\""$OTP_CODE"\""}]" \
$BASE_URL/realms/$REALM/credential-validation
@dileepkumar457
Copy link

@fatihATtargens - were you able to find a solution for this?

@rafakwolf
Copy link

Same issue here

@fatihATtargens
Copy link

@dileepkumar457 , @rafakwolf I'll upload my solution soon. I implement a module to check the totp on keycloak via an api. I'll post the link here soon.

@sts
Copy link
Author

sts commented Jun 21, 2019

@jasw @rafakwolf @dileepkumar457 I was initially running into the same issue, as I picked up some ideas from a mailing list message, which described an extended credential-validation API from a patch which a user had implemented on his own. So please ignore the example above, it was only used as an example when I wrote to the mailing list, it will only work with his own credentials-validation module.

Keycloak is not able to validate the TOTP token apart from username and password; so i had to wait on my RP (freeradius) until I get username, password & token to send it to Keycloak using the following request:

#!/usr/bin/env bash

# Metadata Discovery
#curl https://auth.local/auth/realms/ono/.well-known/openid-configuration | python -m json.tool

set -x

BASE_URL=https://auth.local/auth
CLIENT_ID=radius
CLIENT_SECRET=aaaaaaa-bbbb-cccc-dddd-eeeeeee
USERNAME=alice
PASSWORD=xxxxxxxx
REALM=ono
OTP_CODE=1234

curl --trace -vvv -s scope=openid \
    --data-urlencode client_id=$CLIENT_ID \
    --data-urlencode client_secret=$CLIENT_SECRET \
    --data-urlencode username=$USERNAME\
    --data-urlencode password=$PASSWORD \
    --data-urlencode totp=$OTP_CODE \
    --data grant_type=password \
          $BASE_URL/realms/$REALM/protocol/openid-connect/token

@mgx0
Copy link

mgx0 commented Jan 19, 2023

@dileepkumar457 , @rafakwolf I'll upload my solution soon. I implement a module to check the totp on keycloak via an api. I'll post the link here soon.

Hi there
@fatihATtargens did you come to a solution please?

i'm looking for a username+otp validator rest endpoint without specifying the password (should be used to protect external password reset page)

can anyone help here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment