Re: [keycloak-dev] OTP API
Should be generic and not specific to a credential type. Should also
hook into brute force detection. IMO though, one of the reasons for SSO
and keycloak is that the application does not gather credentials. This
is the job of the auth server. IMO, we'd be better off with expiring
the login at the client side, redirecting to auth server, auth server
sees that the user session is 3 hours old, and requests OTP.
On 11/10/16 7:52 AM, Thomas Darimont wrote:
Hello Rohith,
not that I know of - we'd also like to have this functionality.
What would be the best place to add that? Perhaps this could be added to
the UsersResource with a new
endpoint like "/users/{userId}/otp-validation" or a (new) dedicated
resource.
A client could then do a POST to that endpoint with the current user's
access token and the entered OTP code.
Keycloak could then lookup and check the provided otp code.
If the code is corret, response could indicate that via status HTTP 200 or
HTTP 400 otherwise.
Cheers,
Thomas
2016-11-10 12:11 GMT+01:00 gambol <gambol99(a)gmail.com>:
> Hiya
>
> Does the latest version of Keycloak provide any means of verifying a user's
> TOTP?. Our use-case at the moment, we have an application which once the
> user is authenticated we issue a token of sorts ... however, we wish to
> provide a popup that requests a user's TOPT every few hours which we
> "could" verify via service account ... I can't see any access at the
moment
> via the rest api
>
> Rohith
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev