[keycloak-user] A couple of questions on TOTP registration and two stage resource owner auth

[Jason Wang]

Hi all,

Resource owner auth flow with TOTP enabled works by providing both
username, password and totp code in one go.  For example, to authenticate
user 'test3' on reaml 'test' with totp code 123456, the following HTTP post
works well:

curl -v \
    scope=openid -d grant_type=password \
    --data-urlencode client_id=public \
    --data-urlencode username=test3 \
    --data-urlencode password=test3 \
    --data-urlencode totp=123456 \

    127.0.0.1:8080/auth/realms/test/protocol/openid-connect/token

It returns two tokens as expected.

In my usecase, I would like to do this in 2 stages, similar to how this
user would login to Keycloak: he needs to enter username and password
first. Only valid credentials will lead him to the totp page.  Does
keycloak provide APIs to support such way?  Interestingly, after totp is
set, providing only username and password when calling the API would only
result in a generic 401.

I have seen quite a few reference to an API endpoint that looks like:
$BASE_URL/realms/$REALM/credential-validation
which does not seem to exist (
https://gist.github.com/sts/4c6f8fa759cec88197ca6dfcf306c391).


The second question is if there an API to set the authenticator for the
given user. For example return the long binding code (can be displayed by
this link http://127.0.0.1:8080/auth/realms/test/account/totp?mode=manual),
which is what the QR code links to.  With this API, I can do the
registration process outside of Keycloak.

The last question is that the Keycloak UI does not seem to be using OCID
APIs with the server? I tried to find out which APIs those pages are
invoking by debugging in the browser which did not give me Json resources.
This is a lazy question to save me looking into the source code which I
know I will need to do later ;-).



Many thanks,
Jason