-
-
Save sts/4c6f8fa759cec88197ca6dfcf306c391 to your computer and use it in GitHub Desktop.
| BASE_URL=https://localhost:8081/auth | |
| CLIENT_ID=curl-test | |
| CLIENT_SECRET= | |
| USERNAME= | |
| PASSWORD= | |
| REALM=validation-test | |
| OTP_CODE=027253 | |
| # OpenID Access Token via "Resource Owner Password Credentials Grant" | |
| # https://tools.ietf.org/html/rfc6749#section-4.3 | |
| ACCESS_TOKEN=$(curl -s scope=openid \ | |
| --data-urlencode client_id=$CLIENT_ID \ | |
| --data-urlencode client_secret=$CLIENT_SECRET \ | |
| -d grant_type=password \ | |
| --data-urlencode username=$USERNAME\ | |
| --data-urlencode password=$PASSWORD \ | |
| $BASE_URL/realms/$REALM/protocol/openid-connect/token \ | |
| | python -c 'import sys, json; print json.load(sys.stdin)["access_token"]') | |
| ## Validate otp token with custom credential validation endpoint | |
| curl -v \ | |
| -H "Authorization: Bearer $ACCESS_TOKEN" \ | |
| -H "Content-Type: application/json" \ | |
| -d "[{"\""type"\"":"\""totp"\"","\""value"\"":"\""$OTP_CODE"\""}]" \ | |
| $BASE_URL/realms/$REALM/credential-validation |
Hi, same for me. I'm looking for an api to validate my totp code too. Is there any option to do this via keycloak?
@fatihATtargens - were you able to find a solution for this?
Same issue here
@dileepkumar457 , @rafakwolf I'll upload my solution soon. I implement a module to check the totp on keycloak via an api. I'll post the link here soon.
@jasw @rafakwolf @dileepkumar457 I was initially running into the same issue, as I picked up some ideas from a mailing list message, which described an extended credential-validation API from a patch which a user had implemented on his own. So please ignore the example above, it was only used as an example when I wrote to the mailing list, it will only work with his own credentials-validation module.
Keycloak is not able to validate the TOTP token apart from username and password; so i had to wait on my RP (freeradius) until I get username, password & token to send it to Keycloak using the following request:
#!/usr/bin/env bash
# Metadata Discovery
#curl https://auth.local/auth/realms/ono/.well-known/openid-configuration | python -m json.tool
set -x
BASE_URL=https://auth.local/auth
CLIENT_ID=radius
CLIENT_SECRET=aaaaaaa-bbbb-cccc-dddd-eeeeeee
USERNAME=alice
PASSWORD=xxxxxxxx
REALM=ono
OTP_CODE=1234
curl --trace -vvv -s scope=openid \
--data-urlencode client_id=$CLIENT_ID \
--data-urlencode client_secret=$CLIENT_SECRET \
--data-urlencode username=$USERNAME\
--data-urlencode password=$PASSWORD \
--data-urlencode totp=$OTP_CODE \
--data grant_type=password \
$BASE_URL/realms/$REALM/protocol/openid-connect/token
@dileepkumar457 , @rafakwolf I'll upload my solution soon. I implement a module to check the totp on keycloak via an api. I'll post the link here soon.
Hi there
@fatihATtargens did you come to a solution please?
i'm looking for a username+otp validator rest endpoint without specifying the password (should be used to protect external password reset page)
can anyone help here?
Hi, I found your gist via googling totp api for keycloak. Just wondering what this "credential-validation" API is. Thats what I have been looking for in keycloak. The current latest version (3.4.3) does not have such endpoint. Even worse, when totp is turned on, the 1st call to the token service will fail with a generic "bad user credentials" error. Thanks Jas