Can't access Admin Console after OTP configuration change

Getting advice
,
1

Hi there !

Keycloak version: v24.0.5

I was trying to enable the OTP flow in the master realm. So, in the browser flow, I switch the “OPT Form” flow from “Conditional” to “Required”.

After the above configuration change, now I can’t access the admin console. I get error:

Cannot login, credential setup required.

image

The keycloak instance log shows the following:

WARN  [org.keycloak.services] (executor-thread-97) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException: authenticator: auth-otp-form
	at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:429)
	at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:246)
	at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:377)
	at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:246)
	at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:377)
	at org.keycloak.authentication.DefaultAuthenticationFlow.continueAuthenticationAfterSuccessfulAction(DefaultAuthenticationFlow.java:178)
	at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:154)
	at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:1011)
	at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:365)
	at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:336)
	at org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:328)
	at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:393)
	at org.keycloak.services.resources.LoginActionsService$quarkusrestinvoker$authenticateForm_32b8e198ac3110abd1d5774e83a4cf87858129f4.invoke(Unknown Source)
	at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
	at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
	at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
	at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
	at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
	at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
	at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:840)

2024-09-26 21:56:20,071 WARN  [org.keycloak.events] (executor-thread-97) type="LOGIN_ERROR", realmId="master", clientId="security-admin-console", userId="null", ipAddress="10.233.92.152", error="invalid_user_credentials", auth_method="openid-connect", auth_type="code", redirect_uri="https://login.patagon.cloud/admin/master/console/", code_id="c4d7317f-13fd-4087-b2e4-b7e83a5bd412", username="nmella"

Any hint or advice how to undo or change backward the “OTP Form” setting ? Thanks !

:pray::pray::pray:
Greetings from :chile:

2

I think that the easiest way is changing this config on the database.

3

Yes! I try searching the database but I couldn’t find where this configuration is set.

Do you which table stores this information? Thanks