-
-
Save sts/4c6f8fa759cec88197ca6dfcf306c391 to your computer and use it in GitHub Desktop.
| BASE_URL=https://localhost:8081/auth | |
| CLIENT_ID=curl-test | |
| CLIENT_SECRET= | |
| USERNAME= | |
| PASSWORD= | |
| REALM=validation-test | |
| OTP_CODE=027253 | |
| # OpenID Access Token via "Resource Owner Password Credentials Grant" | |
| # https://tools.ietf.org/html/rfc6749#section-4.3 | |
| ACCESS_TOKEN=$(curl -s scope=openid \ | |
| --data-urlencode client_id=$CLIENT_ID \ | |
| --data-urlencode client_secret=$CLIENT_SECRET \ | |
| -d grant_type=password \ | |
| --data-urlencode username=$USERNAME\ | |
| --data-urlencode password=$PASSWORD \ | |
| $BASE_URL/realms/$REALM/protocol/openid-connect/token \ | |
| | python -c 'import sys, json; print json.load(sys.stdin)["access_token"]') | |
| ## Validate otp token with custom credential validation endpoint | |
| curl -v \ | |
| -H "Authorization: Bearer $ACCESS_TOKEN" \ | |
| -H "Content-Type: application/json" \ | |
| -d "[{"\""type"\"":"\""totp"\"","\""value"\"":"\""$OTP_CODE"\""}]" \ | |
| $BASE_URL/realms/$REALM/credential-validation |
@jasw @rafakwolf @dileepkumar457 I was initially running into the same issue, as I picked up some ideas from a mailing list message, which described an extended credential-validation API from a patch which a user had implemented on his own. So please ignore the example above, it was only used as an example when I wrote to the mailing list, it will only work with his own credentials-validation module.
Keycloak is not able to validate the TOTP token apart from username and password; so i had to wait on my RP (freeradius) until I get username, password & token to send it to Keycloak using the following request:
#!/usr/bin/env bash
# Metadata Discovery
#curl https://auth.local/auth/realms/ono/.well-known/openid-configuration | python -m json.tool
set -x
BASE_URL=https://auth.local/auth
CLIENT_ID=radius
CLIENT_SECRET=aaaaaaa-bbbb-cccc-dddd-eeeeeee
USERNAME=alice
PASSWORD=xxxxxxxx
REALM=ono
OTP_CODE=1234
curl --trace -vvv -s scope=openid \
--data-urlencode client_id=$CLIENT_ID \
--data-urlencode client_secret=$CLIENT_SECRET \
--data-urlencode username=$USERNAME\
--data-urlencode password=$PASSWORD \
--data-urlencode totp=$OTP_CODE \
--data grant_type=password \
$BASE_URL/realms/$REALM/protocol/openid-connect/token
@dileepkumar457 , @rafakwolf I'll upload my solution soon. I implement a module to check the totp on keycloak via an api. I'll post the link here soon.
Hi there
@fatihATtargens did you come to a solution please?
i'm looking for a username+otp validator rest endpoint without specifying the password (should be used to protect external password reset page)
can anyone help here?
@dileepkumar457 , @rafakwolf I'll upload my solution soon. I implement a module to check the totp on keycloak via an api. I'll post the link here soon.