[keycloak-user] Keycloak Forgot Password Auth Flow TOTP

[David Leonard]

Hello Everyone,

I’m having an issue getting the Forgot Password Auth Flow to work the way I expect with OTP.

It seems I have 2 options, either I can either leave on Reset OTP and have the user reset it, or turn it off and create a backdoor to my OTP.

My preferred solution would be:

1. User has forgotten their password
2. User selects the forgot password link.
3. User enters their username or email.
4. User receives email from Keycloak.

Then either:
5. The user is required to enter their current OTP.
6. User changes their password

or

5. The changes their password
6. The user is asked to login with the new password and current OTP.

I don’t want a case where the user doesn’t have both their password and their OTP and able to authenticate.

For now I have completely disabled the Forgot Password flow, but if it is possible to make either of those work it would help dramatically. I don’t see in the Auth Flow how to add a OTP Form like is in the Browser flow.

Thanks!
David
This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s) and only the addressee or authorized agent of the addressee may review, copy, distribute or disclose to anyone the message or any information contained within. If you are not the addressee, please contact the sender by electronic reply and immediately delete all copies of the message. This message is not an offer capable of acceptance, does not create an obligation of any kind and no recipient may rely on this message.