I have error, after login: '17:57:51,046 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-1) Uncaught server error: java.lang.NoClassDefFoundError: org/keycloak/common/util/SecretGenerator'
Thank you very much for this video. I compiled it and am attempting to get it to run. You say to copy the jar files to the /deployments folder. Do mean to copy to the providers subfolder folder in the keycloak installation folder? Where do I copy the template ftl file and the messages to?
Thank you for your positive feedback. I mean the standalone/deployments folder, like also mentioned in the docs (www.keycloak.org/docs/latest/server_development/index.html#using-the-keycloak-deployer). If you deploy your own JAR, you can put the template and message files into this jar, in the structure like in my demo repository. Or/and, you can just add them to your custom theme, if you use one, and thus overwrite the original ones from the JAR.
Downloaded, build, setup keycloak flows, etc and simulation is working. Any hints on how to implement the real sms-part via AWS? Thank you for your hard work. //Edit Ah, think I found something in the AWS-Api documentation.
Hey, could you please tell me how I can use my own OTP service for the login, right now I have integrated keycloak login endpoint now I want to login using the mobile number and OTP
Hi @dasniko, Your videos are really good. I have a requirement that i need to send otp to the user only once during registration and not every time. Can you please provide me any solution?
Thank you Mr. @Niko köbler for your knowledge share, My deployment was domain mode and the project was spring but the system can't show me in the list, can u help me the keyclok version is 16.1.0
Hi clone the project i did mvn install jar file and i moved to /opt/keyclock/providers and i started build its fine when i login with admin credentials and am not able see sms authincattion in steps please correct me if am wronng am using 25.02 keyclock version
Great Tutorial! Question: Custom Authentication flow will be applicable to all the users, Am I right? Is there any way to configure Different Authentication Flow for Different Users?
Thank you Mr. @Niko Köbler for this greaaat work, I just wanna ask you where i can add configs to use SNS service for SMS send. till now i'm only use simulation mode and i want move to AWS SNS Service.
Thanks. How you configure the AWS credentials is up to you. Set them as env vars or system properties and use the default provider chain from AWS. If you want to set and use the access key and secret access key in the provider config form, you‘ll have to extend the code accordingly.
@@hatimchawki3995 can you tell how to add environment variable for using aws sns in local without any docker configuration . please give the detail of variable name and value . Thanks
Thanks for the informative video. Do you have any video/tutorial about key cloak authentication via Email? Some of our clients are not allowed to take mobile devices in their offices and we want to have the option to enable 2FA via Email (instead of google authenticator) for them. Any tips would be greatly appreciated
It‘s pretty the same. Instead of sending the SMS, you just have to send an email. Retrieve the email provider before and send the mail though the provider.
@@dasniko Thanks so much for the information, yes I have now used Keycloak features to send an email instead of SMS. Is there a way to make this configurable so that some users in the realm to use phone OTP (if they have one), and some to have email OTP? My current configuration "Browser with Email" binding would cause everyone on that same realm to require an email OTP, but we want this to be configurable - so some customers in the realm might have a phone OTP and some might have to use the email one.
You have 2 options: 1. Build the condition into the 2FA extension and decide upon some attributes or whatever if you send an SMS or an email 2. Build 2 2FA extensions, one for SMS, one for email, extend your AuthFlow in Keycloak to have a condition based on role or attribute
@@sheevaa2634 Hey ! Were you able to make modifications to use Email for authentication instead of sms? What changes were required? Which Keycloak version have you used? I am trying to do the same but running into few errors. I would really appreciate your help :)
@@dasniko does you sms package provide conditional thing in keycloak ? Required, Alternative or Conditional. I want to put condition in keycloak instead of editing the package or code ?
PLEASE HELP ME SOMEODY!!! My question: if I would like to use the authenticate method of SmsAuthenticator class (so I would like to call this method from an other class), then how can I get the AuthenticationFlowContext value (as it is the needed parameter of the authenticate method) ? I have looked for this info for many many hours, but I didn't find. Please somebody save my life, please!!!!! THANK YOU SO MUCH!!!!
Great job mate. It's insightful and runs on my machine. I'd like to do the same for registration (ask customer for his mobile number and send OTP SMS to confirm the number). I've modified the code for testing to send it to a fixed phone number and changed registration flow to include SMS authenticator. However, for some reason registration flow doesn't show OTP step. Am I missing something? perhaps I need to implement different interface for registration? It would be great if you can provide directions to resolve this.
Thank you. Registration steps are a bit different to implement (different interface). Also, registration "flow" just supports one form as default, there has to be done some (dirty hacks) unconventional workarounds to achieve a real flow with various/multiple forms in registration.
@@dasniko Aha I see. I was thinking to use a separate external page in JS for registration and our backend to use Keycloak REST API to do the registration. My understanding is that this is less secure than Keycloak own registration page. Is this true? Do you recommend this approach?
It's always less secure if there is another application dealing with the Keycloak Admin API and therefore this app needs some admin credentials, which can be misused, etc... So, I would say it's a tradeoff between various issues. I, for myself, would not go a detour if there is a direct and secure way to do something, even if it's causing some effort to do this. Security comes with a price. But how expensive is something compared to a data breach? Security must not be a tradeoff.
@@dasniko Please I will really appreciate of you can do this 2FA for me. Kindly get back so we can discuss please
Год назад
Hi @dasniko , your videos are really good. I have a question that maybe you can solve, in the flow that I am implementing I want to send the SMS only once, that is, the first time I log in. At this moment I need to fill out the form with my username and password, I send the SMS to the user and they finish the flow. But the next time I want to log in I don't want to have to receive the SMS, because the first time I logged in I already verified that the phone number is from who I expected, is it possible?
I am getting this error on keycloak "Could not find configuration for Required Action mobile-number-ra, did you forget to register it?", what did I missed?
As my examples are EXAMPLES, you'd better have a look into the source code instead of blindly fetching something and throwing it into a server... See github.com/dasniko/keycloak-2fa-sms-authenticator/blob/4205a6c2bb1bb687df966d2906c3d3bdf3a05df2/src/main/java/dasniko/keycloak/authenticator/SmsAuthenticator.java#L108
I really appreciate you for such a great tutorial. Does it work in cluster mode or I should use shared memory to save OTP value? I think with AuthenticationSessionModel I don't need to use a shared memory and if I run keycloak in cluster mode, each node has access to the OTP value . Am I right?
If your cluster is setup properly, this will work. Additionally, sticky sessions on the load-balancer are recommended for Keycloak, so cluster communication overhead will be reduced.
I am using a newer version of keycloak 20.0.0 and I am facing issues when deploying my provider in opt/keycloak/providers Can you please tell me if there is anything to change while deploying to the newer version?
Hello Niko. I have created custom authenticator in java i have compiled it into JAR file now where do i need to place that in keycloak directory so i can see it on keycloak UI Console ?
Hello. Is it possible in the Account Management console to have a list of client applications and have a button for each one in the list to send user's credentials to that client?
This would be highly insecure. Additionally, Keycloak does not know the users credentials in cleartext, so it can‘t send them to someone else. Doing something like that would be more than stupid!
@@dasniko Can you give me a council on how to hide some client apps from Account Console? I mean only showing clients that correspond to the user's role(s)...
I had implemented Custom SMS OTP(2FA) authentication Flow and working great as required, Now I have to expose the my custom SMS AuthenticationOTP flow via a Rest API to allow the user to login. how can i do this, Pls suggest.
Not at all. When using OIDC, users are ALWAYS required to authenticate at the IdP, not via an API. That‘s highly insecure, considered harmful, is a man-in-the-middle scenario and stupid.
Thank you so much. Would you tell me How to create the new env variables and get ones in my custom authenticator provider from Docker ??? my SMS provider needs some variables like secretKey and ID, and I want to get them from env variables... how can I do it??? Thanks in advanced
That's not related in any way to Keycloak. Just set env vars in Docker like every other env var and access it from Java with System.envvar(...) Where's the problem?
An excellent instruction that I could easily apply for my embedded in the spring boot application keycloak server! But how does the user data get into the keycloak other than being entered by the administrator? If my application is responsible for registering users, can I simultaneously pass the user data the keylock needs while registering user in my application?
If your users "register" in another app, you can use the admin rest api to create the user in keycloak. The admin rest api is exactly the same thing the admin ui uses under the hodd.
@@dasniko I found this feature in the documentation, thank you, appreciate it. Keylock is embedded in the application that is responsible for registration. I think they can be considered separate. Did I understand correctly that before authorizing a user using OTP (my flow consists only of it, not 2FA) I should register him in keycloak via REST API and only then authorize him, trying to get a token?
If a user is not available (registered) in Keycloak, Keycloak can‘t authenticate the user. 😉 Another option may be to implement a User Storage SPI to use the user data from your application. This way you don‘t have register the user separately, as it is just availabe due to the SPI. Look for this in the „Server developer docs“ of Keycloak.
Side note: I don‘t have experienxce with Keycloak running embedded in another application environment, as this is not officially supported. But I would also assume that despite it is embedded, it‘s a separate app.
@@dasniko Thanks for the answer! It helped me a lot, but there were also new questions. I feel awkward, because this platform is not intended for detailed questions, but I'm not sure if I can get an answer on other sites. I would be glad if you could answer my questions. Also, if it is more convenient, then I am ready to post the questions somewhere else in accordance with all the rules. Since my last post, I've got a little better understanding of how the SPI Authenticator works and if I understood correctly, it is good practice to run all the authorization logic in Keycloak. In your example, Keycloak sends SMS and validates the code entered by the user through adapter classes for a specific SMS operator. After that, the user is considered authorized and an access token is returned to him. But in my application, entering the code is either authorization or the first stage of registering a new user if the user has not yet been registered in our application. Accordingly, at this stage it may not be necessary to obtain an authorization token. At the same time, Keycloak is responsible for working with OTP. Can keycloak handle such cases? Can I issue or not issue a token depending on the situation? Can a token be issued to a user "delayed" only after the registration procedure is completed? Moving on to the issue of registering Keycloak users, I suspected that Keycloak provides the necessary interfaces for the implementation of user providers, but then I could not find it. Thank you for pointing the right way. And from the moment I received your answer, I started to implement User Storage SPI little by little, but I ran into a problem that I need to implement the isValid method from CredentialInputValidator. With the password, everything is quite clear, we compare two passwords (or two hashes, which is more likely in a real application) and return the result. But what should we do in the case of OTP and is it generally necessary to implement this interface if we do not store information about passwords?
after turning off simulation mode , am getting internal server error after entering login and password . means its not connecting to AWS SNS , . how to add aws sns credentials ? and where to add ? kindly please do a comment regarding this . please its my sincere request don't ignore my request .
This is great content. Thank you so much!! I have a question, it is possible to take control of the first form (username and password)? I would like to compare these credentials by my own (credentials not being stored in Keycloak in any way, not befor or after do this comparison) and return ok or not to this form validation as a result of my own validation. Thanks in advance.
@dasniko Thank you for the response, yeah I am trying this conditional OTP one but unable to fullfil the task as I am getting execution=CONFIGURETOTP in the url, I got stuck do I need to add anything third party, main thing is I need OTP or Some kind of MFA for Guest users as for IDP OTP will be there.
Technically, nearly everything is possible. But IMHO it doesn‘t make sense to use something like 2fa with direct grant flow, which additionally is also one of the most insecure auth flows of all available.
Then your user doesn't have the attribute "mobile_number" set. github.com/dasniko/keycloak-2fa-sms-authenticator/blob/251d8c9ed04befa25d659603bbc7f548ba979dc0/src/main/java/dasniko/keycloak/authenticator/SmsAuthenticator.java#L103
thank you for your tutorial but something that is really annoying is great part of video consists of just your face , even after minimizing it to the corner of video I can't view much of what are you doing just because of the big face appearing on the screen corner .
Well, in that case my videos are just not for you. 🤷♂️ It's my style and everything important is visible or in the description linked. Also, hopefully people are not just copy&pasting things they see, but will also think about it and make own assumptions and tests.
Hi sir, I am getting error like no such method jakarta.ws.rs.core.Response createForm(String form) while create login OTP form. Please guide me to resolve this issue
Great Tutorial! It helped me alot to understand keycloak more. Thank you!
btw. nice video quality
Great explanation. It was really helpful.
Thanks for share! Good job Niko
.
Awesome tutorial, thanks so much.
6:31 how to add sms authentication choice to keycloak?
I'm facing the same issue. It looks like the option was removed
I have error, after login: '17:57:51,046 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-1) Uncaught server error: java.lang.NoClassDefFoundError: org/keycloak/common/util/SecretGenerator'
Did you know how to solve this problem? I also have the same problem.
It was very helpful. Thank you!
Great content and tutorial. Thank you for sharing it
Thank you so much, Kamal! Also for your donation, this is really appreciated and shows me that not all my effort is worthless!! 👍
Thank you very much for this video. I compiled it and am attempting to get it to run. You say to copy the jar files to the /deployments folder. Do mean to copy to the providers subfolder folder in the keycloak installation folder? Where do I copy the template ftl file and the messages to?
Thank you for your positive feedback.
I mean the standalone/deployments folder, like also mentioned in the docs (www.keycloak.org/docs/latest/server_development/index.html#using-the-keycloak-deployer).
If you deploy your own JAR, you can put the template and message files into this jar, in the structure like in my demo repository. Or/and, you can just add them to your custom theme, if you use one, and thus overwrite the original ones from the JAR.
Thank's for the video. Is it possible to set a otp token period like in the keycloak otp config?
Hi, I need multiple login issue. So, I wanna either with username and password login or Sms auth login. How to handle it ?
Thanks for share the content about keycloak
Downloaded, build, setup keycloak flows, etc and simulation is working.
Any hints on how to implement the real sms-part via AWS?
Thank you for your hard work.
//Edit
Ah, think I found something in the AWS-Api documentation.
Hey, could you please tell me how I can use my own OTP service for the login, right now I have integrated keycloak login endpoint now I want to login using the mobile number and OTP
Hi @dasniko, Your videos are really good.
I have a requirement that i need to send otp to the user only once during registration and not every time. Can you please provide me any solution?
Thank you Mr. @Niko köbler for your knowledge share,
My deployment was domain mode and the project was spring but the system can't show me in the list, can u help me the keyclok version is 16.1.0
Hi clone the project i did mvn install jar file and i moved to /opt/keyclock/providers and i started build its fine
when i login with admin credentials and am not able see sms authincattion in steps please correct me if am wronng
am using 25.02 keyclock version
Great Tutorial!
Question: Custom Authentication flow will be applicable to all the users, Am I right?
Is there any way to configure Different Authentication Flow for Different Users?
You can omit steps in the flow based on condition like attribute or role.
Can't verify code using api?
does it work on keycloak 23.0.4?
Thank you Mr. @Niko Köbler for this greaaat work,
I just wanna ask you where i can add configs to use SNS service for SMS send.
till now i'm only use simulation mode and i want move to AWS SNS Service.
Thanks.
How you configure the AWS credentials is up to you. Set them as env vars or system properties and use the default provider chain from AWS. If you want to set and use the access key and secret access key in the provider config form, you‘ll have to extend the code accordingly.
@@dasniko Thanks for your answer,
does injecting access/secret key as environment variable on my docker compose will be enough ?
Yes, that way I‘m using it too
@@dasniko Thank you very much Mr. Niko.
@@hatimchawki3995 can you tell how to add environment variable for using aws sns in local without any docker configuration . please give the detail of variable name and value . Thanks
How I can add extra link like (resend the code)?
Awesome, I'm new with keycloak. Do you have any tutorial for signin and sign up with otp without password?
TJANKS
Thanks for the informative video. Do you have any video/tutorial about key cloak authentication via Email? Some of our clients are not allowed to take mobile devices in their offices and we want to have the option to enable 2FA via Email (instead of google authenticator) for them. Any tips would be greatly appreciated
It‘s pretty the same. Instead of sending the SMS, you just have to send an email. Retrieve the email provider before and send the mail though the provider.
@@dasniko Thanks so much for the information, yes I have now used Keycloak features to send an email instead of SMS. Is there a way to make this configurable so that some users in the realm to use phone OTP (if they have one), and some to have email OTP? My current configuration "Browser with Email" binding would cause everyone on that same realm to require an email OTP, but we want this to be configurable - so some customers in the realm might have a phone OTP and some might have to use the email one.
You have 2 options:
1. Build the condition into the 2FA extension and decide upon some attributes or whatever if you send an SMS or an email
2. Build 2 2FA extensions, one for SMS, one for email, extend your AuthFlow in Keycloak to have a condition based on role or attribute
@@sheevaa2634 Hey ! Were you able to make modifications to use Email for authentication instead of sms? What changes were required? Which Keycloak version have you used? I am trying to do the same but running into few errors. I would really appreciate your help :)
@@dasniko does you sms package provide conditional thing in keycloak ?
Required, Alternative or Conditional. I want to put condition in keycloak instead of editing the package or code ?
2FA with OTP email. that's a big problem. help me pls
PLEASE HELP ME SOMEODY!!! My question: if I would like to use the authenticate method of SmsAuthenticator class (so I would like to call this method from an other class), then how can I get the AuthenticationFlowContext value (as it is the needed parameter of the authenticate method) ? I have looked for this info for many many hours, but I didn't find. Please somebody save my life, please!!!!! THANK YOU SO MUCH!!!!
Great job mate. It's insightful and runs on my machine.
I'd like to do the same for registration (ask customer for his mobile number and send OTP SMS to confirm the number). I've modified the code for testing to send it to a fixed phone number and changed registration flow to include SMS authenticator. However, for some reason registration flow doesn't show OTP step. Am I missing something? perhaps I need to implement different interface for registration? It would be great if you can provide directions to resolve this.
Thank you.
Registration steps are a bit different to implement (different interface).
Also, registration "flow" just supports one form as default, there has to be done some (dirty hacks) unconventional workarounds to achieve a real flow with various/multiple forms in registration.
@@dasniko Aha I see. I was thinking to use a separate external page in JS for registration and our backend to use Keycloak REST API to do the registration. My understanding is that this is less secure than Keycloak own registration page. Is this true? Do you recommend this approach?
It's always less secure if there is another application dealing with the Keycloak Admin API and therefore this app needs some admin credentials, which can be misused, etc... So, I would say it's a tradeoff between various issues.
I, for myself, would not go a detour if there is a direct and secure way to do something, even if it's causing some effort to do this. Security comes with a price. But how expensive is something compared to a data breach? Security must not be a tradeoff.
@@dasniko Thanks. I appreciate your time and effort.
@@dasniko Please I will really appreciate of you can do this 2FA for me. Kindly get back so we can discuss please
Hi @dasniko , your videos are really good.
I have a question that maybe you can solve, in the flow that I am implementing I want to send the SMS only once, that is, the first time I log in. At this moment I need to fill out the form with my username and password, I send the SMS to the user and they finish the flow. But the next time I want to log in I don't want to have to receive the SMS, because the first time I logged in I already verified that the phone number is from who I expected, is it possible?
I am getting this error on keycloak "Could not find configuration for Required Action mobile-number-ra, did you forget to register it?", what did I missed?
As my examples are EXAMPLES, you'd better have a look into the source code instead of blindly fetching something and throwing it into a server...
See github.com/dasniko/keycloak-2fa-sms-authenticator/blob/4205a6c2bb1bb687df966d2906c3d3bdf3a05df2/src/main/java/dasniko/keycloak/authenticator/SmsAuthenticator.java#L108
I really appreciate you for such a great tutorial.
Does it work in cluster mode or I should use shared memory to save OTP value?
I think with AuthenticationSessionModel I don't need to use a shared memory and if I run keycloak in cluster mode, each node has access to the OTP value . Am I right?
If your cluster is setup properly, this will work.
Additionally, sticky sessions on the load-balancer are recommended for Keycloak, so cluster communication overhead will be reduced.
@@dasniko Thank You For Your Attention.
Good insights!
I am using a newer version of keycloak 20.0.0 and I am facing issues when deploying my provider in opt/keycloak/providers
Can you please tell me if there is anything to change while deploying to the newer version?
You need to set the user to keycloak for the keycloak folder and chmod
Hello Niko. I have created custom authenticator in java i have compiled it into JAR file now where do i need to place that in keycloak directory so i can see it on keycloak UI Console ?
www.keycloak.org/docs/latest/server_development/index.html
Hello. Is it possible in the Account Management console to have a list of client applications and have a button for each one in the list to send user's credentials to that client?
This would be highly insecure. Additionally, Keycloak does not know the users credentials in cleartext, so it can‘t send them to someone else. Doing something like that would be more than stupid!
@@dasniko All I wanted to do is being redirected to client applications from Account Console))) It turned out easy-pizzy.
@@dasniko Can you give me a council on how to hide some client apps from Account Console? I mean only showing clients that correspond to the user's role(s)...
I had implemented Custom SMS OTP(2FA) authentication Flow and working great as required,
Now I have to expose the my custom SMS AuthenticationOTP flow via a Rest API to allow the user to login. how can i do this, Pls suggest.
Not at all. When using OIDC, users are ALWAYS required to authenticate at the IdP, not via an API. That‘s highly insecure, considered harmful, is a man-in-the-middle scenario and stupid.
Thank you so much. Would you tell me How to create the new env variables and get ones in my custom authenticator provider from Docker ??? my SMS provider needs some variables like secretKey and ID, and I want to get them from env variables... how can I do it??? Thanks in advanced
That's not related in any way to Keycloak.
Just set env vars in Docker like every other env var and access it from Java with System.envvar(...)
Where's the problem?
that's really easy, I totally forgot it. Thanks
Comment for YT algorithm. Thanks
An excellent instruction that I could easily apply for my embedded in the spring boot application keycloak server!
But how does the user data get into the keycloak other than being entered by the administrator? If my application is responsible for registering users, can I simultaneously pass the user data the keylock needs while registering user in my application?
If your users "register" in another app, you can use the admin rest api to create the user in keycloak. The admin rest api is exactly the same thing the admin ui uses under the hodd.
@@dasniko I found this feature in the documentation, thank you, appreciate it.
Keylock is embedded in the application that is responsible for registration. I think they can be considered separate.
Did I understand correctly that before authorizing a user using OTP (my flow consists only of it, not 2FA) I should register him in keycloak via REST API and only then authorize him, trying to get a token?
If a user is not available (registered) in Keycloak, Keycloak can‘t authenticate the user. 😉
Another option may be to implement a User Storage SPI to use the user data from your application. This way you don‘t have register the user separately, as it is just availabe due to the SPI. Look for this in the „Server developer docs“ of Keycloak.
Side note: I don‘t have experienxce with Keycloak running embedded in another application environment, as this is not officially supported. But I would also assume that despite it is embedded, it‘s a separate app.
@@dasniko Thanks for the answer! It helped me a lot, but there were also new questions. I feel awkward, because this platform is not intended for detailed questions, but I'm not sure if I can get an answer on other sites. I would be glad if you could answer my questions. Also, if it is more convenient, then I am ready to post the questions somewhere else in accordance with all the rules.
Since my last post, I've got a little better understanding of how the SPI Authenticator works and if I understood correctly, it is good practice to run all the authorization logic in Keycloak. In your example, Keycloak sends SMS and validates the code entered by the user through adapter classes for a specific SMS operator. After that, the user is considered authorized and an access token is returned to him. But in my application, entering the code is either authorization or the first stage of registering a new user if the user has not yet been registered in our application. Accordingly, at this stage it may not be necessary to obtain an authorization token. At the same time, Keycloak is responsible for working with OTP. Can keycloak handle such cases? Can I issue or not issue a token depending on the situation? Can a token be issued to a user "delayed" only after the registration procedure is completed?
Moving on to the issue of registering Keycloak users, I suspected that Keycloak provides the necessary interfaces for the implementation of user providers, but then I could not find it. Thank you for pointing the right way.
And from the moment I received your answer, I started to implement User Storage SPI little by little, but I ran into a problem that I need to implement the isValid method from CredentialInputValidator. With the password, everything is quite clear, we compare two passwords (or two hashes, which is more likely in a real application) and return the result. But what should we do in the case of OTP and is it generally necessary to implement this interface if we do not store information about passwords?
after turning off simulation mode , am getting internal server error after entering login and password . means its not connecting to AWS SNS , . how to add aws sns credentials ? and where to add ? kindly please do a comment regarding this . please its my sincere request don't ignore my request .
just google "AWS credentials java"
👏Is this available as a extension to keycloak?
There are reasons that it's not available as a ready built extension.
Hi, i would like to know how could i add the module to keycloak
Please consult the official documentation: www.keycloak.org/docs/latest/server_development/index.html#registering-provider-implementations
This is great content. Thank you so much!! I have a question, it is possible to take control of the first form (username and password)? I would like to compare these credentials by my own (credentials not being stored in Keycloak in any way, not befor or after do this comparison) and return ok or not to this form validation as a result of my own validation. Thanks in advance.
Can't we do from UI only instead of from code?
Would I‘ve done a video, if?
@dasniko Thank you for the response, yeah I am trying this conditional OTP one but unable to fullfil the task as I am getting execution=CONFIGURETOTP in the url, I got stuck do I need to add anything third party, main thing is I need OTP or Some kind of MFA for Guest users as for IDP OTP will be there.
Hi @Niko Köbler,
Can we do similar kind of thing with direct grant flow?
Technically, nearly everything is possible. But IMHO it doesn‘t make sense to use something like 2fa with direct grant flow, which additionally is also one of the most insecure auth flows of all available.
@@dasniko We have the requirement to implement this with direct grant flow only, Can you suggest the most efficient way to do it?
@@sagarpoudel139 Hey, did you find it out?
@@sagarpoudel139Direct grant is only for test/learning. Use client credential flow.
Great content and tutorial. Thank you for sharing it !
I have a question for you, How i can manage the case of resending the sms ?
You have to implement it on your own, depending on your desired behavior. There's no ootb!
Great! Is it possible to do the same for email?
yes
Does it work with keycloak 22? I was able to compile it. Add it to keycloak and add sms to browser flow but later can't access login form any more.
It works pretty well, yes!
I tried but it's error. The response error was "Cannot login, credential setup required.". I use keycloak 13.0.1
Then your user doesn't have the attribute "mobile_number" set. github.com/dasniko/keycloak-2fa-sms-authenticator/blob/251d8c9ed04befa25d659603bbc7f548ba979dc0/src/main/java/dasniko/keycloak/authenticator/SmsAuthenticator.java#L103
I fixed and it's worked. Thank you very much!
i want to do this for update password
well, then just do it!
@@dasniko Means can we do this password update? will Account console allow for OTP in password update?
thank you. some critic: your face sometimes hides important part of the monitor
thank you for your tutorial but something that is really annoying is great part of video consists of just your face , even after minimizing it to the corner of video I can't view much of what are you doing just because of the big face appearing on the screen corner .
Well, in that case my videos are just not for you. 🤷♂️
It's my style and everything important is visible or in the description linked. Also, hopefully people are not just copy&pasting things they see, but will also think about it and make own assumptions and tests.
Hi sir, I am getting error like no such method jakarta.ws.rs.core.Response createForm(String form) while create login OTP form. Please guide me to resolve this issue