Hi there!
During the implementation of keycloak for our services with REST API, we encountered a problem with setting up two-factor authentication via REST. Is there any way to get the QR code without accessing the keycloak login page (we have our own login page UI)?
are you looking at enabling 2FA for a user using rest api, if so it should be as simple as setting up mandatory action âconfigure_otpâ for the user.
i guess this rest call can do it
curl âhttp://localhost:8080/auth/admin/realms/test/users/c8e1f8d2-3c30-4e14-bd2e-ba4d1faf2193â
-X âPUTâ
-H âConnection: keep-aliveâ
-H âAccept: application/json, text/plain, /â
-H âDNT: 1â
-H 'Authorization: Bearer â
-H âUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36â
-H âContent-Type: application/json;charset=UTF-8â
-H âOrigin: http://localhost:8080â
-H âSec-Fetch-Site: same-originâ
-H âSec-Fetch-Mode: corsâ
-H âSec-Fetch-Dest: emptyâ
-H âReferer: http://localhost:8080/auth/admin/master/console/â
-H âAccept-Language: en-US,en;q=0.9â
âdata-binary â{âidâ:âc8e1f8d2-3c30-4e14-bd2e-ba4d1faf2193â,âcreatedTimestampâ:1603179101242,âusernameâ:âuser1â,âenabledâ:true,âtotpâ:false,âemailVerifiedâ:false,âdisableableCredentialTypesâ:[],ârequiredActionsâ:[âCONFIGURE_TOTPâ],ânotBeforeâ:0,âaccessâ:{âmanageGroupMembershipâ:true,âviewâ:true,âmapRolesâ:true,âimpersonateâ:true,âmanageâ:true},âattributesâ:{}}â
âcompressed
Hi, I would like to know if there are any rest call to verify the totp value of a authenticated user. It is for verify some importants request such as payments. Best regards
No standard SPI call for TOTP verification. But you can create your own REST API to do it.
Refer this,
https://www.keycloak.org/docs/latest/server_development/#_extensions
Hello!
I understand your challenge with implementing two-factor authentication via REST API without accessing the Keycloak login page. While Keycloak doesnât natively provide a REST endpoint for generating QR codes for 2FA setup, Iâd like to recommend a custom extension that might help solve your problem.
Take a look at the khode-two-factor-auth extension: GitHub - chornthorn/khode-two-factor-auth: khode-two-factor-auth is a Keycloak extension that provides a REST API for managing Time-based One-Time Password (TOTP) authentication. This extension allows you to set up, verify, enable, disable, and validate TOTP for users in a Keycloak realm.
This extension provides additional REST endpoints for Keycloak, including one that allows you to generate QR codes for two-factor authentication setup without needing to access the Keycloak login page. Itâs designed to work with custom login page UIs, which seems to fit your use case perfectly.
The extension offers the following features:
- Generate QR code for 2FA setup
- Verify OTP code
- Enable/disable 2FA for a user
- Check if 2FA is enabled for a user
By using this extension, you should be able to implement the 2FA setup process entirely through your own login page UI, communicating with Keycloak via REST API calls.
Nice plugin! This is an old thread but extending the REST API still comes up a lot so having a nice example is great!
Are all of these endpoints authenticated? It doesnât look like the call to checkAuth
is actually called, I might be missing something. Client authentication or using a service account to limit access would be great.
I wrote my own version of this (code is owned by my employer so I cannot share it, sorry); but I took the approach of authenticating with the userâs access code. e.g. Authorization: Bearer <token>
and then the endpoints are always in the context of the current user instead of taking a userId
value. Unless youâre specifically wanting to bulk-manage OTP credentials Iâd think allowing a userId
to be passed in just exposes an attack vector thatâs not necessary.
Thank you for your feedback! In our latest release (1.3), weâve addressed several security concerns:
- All endpoints are now properly authenticated.
- Weâve implemented user context authentication using bearer tokens.
- Weâve retained the userId parameter to support dual authentication scenarios.
Additionally, in future releases, we plan to support TOTP auth for sensitive API operations. If you have any ideas or suggestions, weâd love to hear them. Please join the discussion at [feature]: TOTP-Based Secure Action Token for Sensitive API Operations ¡ Issue #1 ¡ chornthorn/khode-two-factor-auth ¡ GitHub