Reputation: 510
Determine if Keycloak User has TOTP enabled
I have a Single-Page Web-Application authenticating against Keycloak and letting Users enable TOTP in their Keycloak-Account-Page.
However I want the Client-Application to determine after login, if the authenticated User has 2-factor-authentication/TOTP enabled or not.
Is it possible to map this (boolean) information into the Tokens or userinfo Endpoint ... I haven't found any User Property, that contains this information.
The only Place I found it, was in Admin-REST-API /auth/admin/realms/{realm}/users/{uuid}, but the Client/End-user won't and shouldn't have access there:
{
...
totp: true,
}
Upvotes: 1
Views: 2789
Answers (2)
Reputation: 1287
I believe you can apply OTP to a role. So that any user assigned this role MUST configure OTP on the first login after the role is assigned. Then it's simply to check if that role is present in the claims on whaetver endpoint the user is accessing. But it will remove the posibility for the user to deside if they want to use OTP or not, as assigning the role will force them to.
Upvotes: 0
Reputation: 1912
I don't think this is possible without customization.
You may want to add a custom protocol mapper and check for totp like this:
keyclaokSession.userCredentialManager().isConfiguredFor(realm, user, OTPCredentialModel.TYPE)
Here is a video that explains the first steps.
Upvotes: 3
Related Questions
- How to distinguish if user is logged in from a Provider or from a user in Keycloak
- Can I check if the userid and password are valid in Keyclock?
- Keycloak, openId-connect userInfo
- Invoke Keycloak Challenge on User Action
- How do I ensure the users secret key for TOTP is valid?
- Conditional login with OpenId Connect
- Keycloak: How can user be filtered for a specific OIDC client by role?
- Using TOTP in keycloak
- Keycloak login interceptor/filter
- Determine from JWT generated by Keycloak if a user is authorized to access specific resource