Hi, fellow keycloakers!
We want to add 2FA support with Yubikey devices, but we don’t use the keycloak’s login flow, rather we use the admin rest API.
Our flow is:
- Create a new user with OTP (from the admin console)
- Send the user an email so he can configure his password and google-authenticator
- When a user is performing a login from our own website\application we are using the admin rest API ({{keycloak_url}}/realms/{{realm}}/protocol/openid-connect/token) and we send the userName, password, and the TOTP token.
This flow is fine and working as expected.
No, instead of the user working with google autehnticator we need that the user will use a Yubikey device
So a few questions:
-
When creating a new user from the admin console (or admin API) - is it possible to configure this user to use Yubikey (I think its called webauth passwordless)
-
if 1 Is possible, can we use the admin rest API to get an access token for this user? Do we need to generate an OTP from the Yubikey SDK and send it as well in the API ?
Any help, guide, or information would be appreciated