[keycloak-dev] Added password token for totp logins
Stian Thorgersen
stian at redhat.com
Thu Aug 28 07:56:15 EDT 2014
In the past when authenticating a user with totp we used to include the username and password in plain-text in hidden input fields on the login-totp form. This was not good in case this html gets cached.
I've improved this by adding a password-token type credential. The flow now is:
1. User logs in with username and password
2. Password is verified, if valid a password-token is generated (realm name, user id and timestamp encrypted with realm private key)
3. Redirect to login-totp, including password-token instead of password
4. User enters totp
5. Password token and totp is verified
More information about the keycloak-dev
mailing list