[keycloak-user] TOTP claim in jwt

Mark Sargent Mark.Sargent at gallagher.com
Wed May 29 22:48:59 EDT 2019 

Thanks Dmitry!
________________________________
From: Dmitry Telegin <demetrio at carretti.pro>
Sent: Thursday, May 30, 2019 4:36 AM
To: Mark Sargent; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] TOTP claim in jwt

Hello Mark,

I usually offer this as an assignment for my students at Keycloak hands-ons, hope they don't google this next time :)

Please check out this thread for the solution overview: http://lists.jboss.org/pipermail/keycloak-user/2018-December/016676.html

The actual authenticator code might look like this:

function authenticate(context) {

    var status = authenticationSession.executionStatus;
    var execs = status.keySet();

    for each (var e in execs) {
        var auth = realm.getAuthenticationExecutionById(e).authenticator;
        var s = status[e];
        LOG.info(auth + " => " + s); // you will get nulls for subflows, that's normal
        if (auth == "auth-otp-form" && s == "SUCCESS")
            authenticationSession.setUserSessionNote("otp", "true");
    }

    context.success();

}

And the mapper:

var otp = userSession.notes["otp"];
token.setotherClaims("otp", otp);

Good luck!
Dmitry Telegin

Carretti Consulting OÜ | Keycloak Consulting and Training
Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro

On Wed, 2019-05-29 at 02:06 +0000, Mark Sargent wrote:
> Hi all,
>
> Some users in our realm must have setup TOTP for to access some services. Is it possible to configure a claim to include if a second factor was used during authentication?
> We could check if such a claim existed in our service, before granting access.
>
> Thanks in advance.
>
> Cheers
> Mark
>
>
> ________________________________
> This email is confidential and may contain information subject to legal privilege. If you are not the intended recipient please advise us of our error by return e-mail then delete this email and any attached files. You may not copy, disclose or use the contents in any way. The views expressed in this email may not be those of Gallagher Group Ltd or subsidiary companies thereof.
> ________________________________
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list