Using the direct grant flow, if I submit the correct username and password and OTP is not configured for the user, then the flow is successful.
If I submit the correct username and password but omit the OTP when this is configured I get a 401, but I cannot see a way of determining that an OTP was required, rather than that the supplied credentials were wrong.
Is it possible to do this in direct grant flow? i.e. have an application try the direct grant flow, and then KeyCloak return a different error that implies an OTP is required?
A prompt is not what I meant, but some feedback that says an OTP code is required for the current user would be useful. After all, you can log in to direct grant with an OTP code as well
Yes agreed it makes sense and I too am using it. My problem is that not all of my users have OTP devices enabled, and so the client side logic to ask the user for a value for the totp parameter has no way of knowing, as both âmissing totp parameterâ and âincorrect username/passwordâ result in a 401.
I canât assume every 401 is a prompt for an OTP code. So how do I know in direct grant flow that I need to send a totp parameter for a particular user?
I am afraid that you canât do it with no changes in Keycloak code.
Maybe simpler and safer solution is to ask a user to supply OTP regardless it is configured or not?
Adding a hint âleave blank if OTP is not configuredâ would probably increase usersâ awareness of existance of TOTP which is a good sideeffect of the solution.
The user experience isnât ideal as I canât think of an example of a similar system that would do the same. Expert users wouldnât be fazed but the rest would certainly risk being put off.
Changing the response status in the actual KeyCloak code is a consideration, but there are security risks I donât have an easy answer to.
@richjyoung if you still need a solution, the following script authenticator added to the âDirect Grantâ flow -> âDirect Grant - Conditional OTPâ (REQUIRED; between âCondition - User Configuredâ and âOTPâ) will return âOTP missingâ along with 401 when the username and password are correct, but otp is configured for the user and missing.