Last active
June 18, 2024 11:51
-
-
Save sts/4c6f8fa759cec88197ca6dfcf306c391 to your computer and use it in GitHub Desktop.
Keycloak OTP Validation API
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| BASE_URL=https://localhost:8081/auth | |
| CLIENT_ID=curl-test | |
| CLIENT_SECRET= | |
| USERNAME= | |
| PASSWORD= | |
| REALM=validation-test | |
| OTP_CODE=027253 | |
| # OpenID Access Token via "Resource Owner Password Credentials Grant" | |
| # https://tools.ietf.org/html/rfc6749#section-4.3 | |
| ACCESS_TOKEN=$(curl -s scope=openid \ | |
| --data-urlencode client_id=$CLIENT_ID \ | |
| --data-urlencode client_secret=$CLIENT_SECRET \ | |
| -d grant_type=password \ | |
| --data-urlencode username=$USERNAME\ | |
| --data-urlencode password=$PASSWORD \ | |
| $BASE_URL/realms/$REALM/protocol/openid-connect/token \ | |
| | python -c 'import sys, json; print json.load(sys.stdin)["access_token"]') | |
| ## Validate otp token with custom credential validation endpoint | |
| curl -v \ | |
| -H "Authorization: Bearer $ACCESS_TOKEN" \ | |
| -H "Content-Type: application/json" \ | |
| -d "[{"\""type"\"":"\""totp"\"","\""value"\"":"\""$OTP_CODE"\""}]" \ | |
| $BASE_URL/realms/$REALM/credential-validation |
@dileepkumar457 , @rafakwolf I'll upload my solution soon. I implement a module to check the totp on keycloak via an api. I'll post the link here soon.
Hi there
@fatihATtargens did you come to a solution please?
i'm looking for a username+otp validator rest endpoint without specifying the password (should be used to protect external password reset page)
can anyone help here?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@jasw @rafakwolf @dileepkumar457 I was initially running into the same issue, as I picked up some ideas from a mailing list message, which described an extended credential-validation API from a patch which a user had implemented on his own. So please ignore the example above, it was only used as an example when I wrote to the mailing list, it will only work with his own credentials-validation module.
Keycloak is not able to validate the TOTP token apart from username and password; so i had to wait on my RP (freeradius) until I get username, password & token to send it to Keycloak using the following request: