Configure Keycloak OTP via Administration REST API

Question

I am evaluating Keycloak for one of our systems where 2FA with TOTPs would be a requirement. I am trying to figure out if there is a way to register a new Authenticator app via the Admin REST API, so our user's wouldn't need to interact with the Keycloak provided account page.

I've spent some time with the reference documentation but got no luck. Is there something I am missing? Is omitting the Keycloak provided UIs a preferred way to use this service?

Thanks!

Answer 1

You can use this custom rest api for creating/deleting totp Custom TOTP Rest Api

Answer 2

The short answer to this specific question is "no", as has already been said in Jan's answer.

However, for those that are interested, I've added a detailed answer around what you can and can't do regarding attempting to roll-you-own around the OTP device setup in Keycloak as the answer to this similar question: Keycloak - Multi/2FA Factor - OTP - QR Code - Custom Login Screen - Rest API.

The focus there is more around setting up OTP devices using your own application pages instead of Keycloak's, but someone who has found this page looking for information might find it useful.

Answer 3

No, you can't use API for that. You need user UI interaction.

I can't imagine how you will be able to distribute TOTP credentials to the user device. Maybe some high profile enterprise environments (Android Enterprise, ...) can force it, but it won't be very common use case.