[keycloak-dev] OTP API
Bill Burke
bburke at redhat.com
Thu Nov 10 08:27:23 EST 2016
Should be generic and not specific to a credential type. Should also
hook into brute force detection. IMO though, one of the reasons for SSO
and keycloak is that the application does not gather credentials. This
is the job of the auth server. IMO, we'd be better off with expiring
the login at the client side, redirecting to auth server, auth server
sees that the user session is 3 hours old, and requests OTP.
On 11/10/16 7:52 AM, Thomas Darimont wrote:
> Hello Rohith,
>
> not that I know of - we'd also like to have this functionality.
>
>
> What would be the best place to add that? Perhaps this could be added to
> the UsersResource with a new
> endpoint like "/users/{userId}/otp-validation" or a (new) dedicated
> resource.
>
> A client could then do a POST to that endpoint with the current user's
> access token and the entered OTP code.
> Keycloak could then lookup and check the provided otp code.
> If the code is corret, response could indicate that via status HTTP 200 or
> HTTP 400 otherwise.
>
> Cheers,
> Thomas
>
> 2016-11-10 12:11 GMT+01:00 gambol <gambol99 at gmail.com>:
>
>> Hiya
>>
>> Does the latest version of Keycloak provide any means of verifying a user's
>> TOTP?. Our use-case at the moment, we have an application which once the
>> user is authenticated we issue a token of sorts ... however, we wish to
>> provide a popup that requests a user's TOPT every few hours which we
>> "could" verify via service account ... I can't see any access at the moment
>> via the rest api
>>
>> Rohith
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list