Reset credentials (password + OTP) stuck in a loop

Getting advice
,
1

Asking as I couldn’t find a proper answer in existing threads.

I am running a clean Keycloak v.26.2.5 server.

I haven’t touched existing authentication flows, especially the reset credentials flow - it’s vanilla i.e. in it’s original state.

I’ve enabled OTP credentials for login.

I configured email client and tested it works.

Flow:

  • user logs in via email/password

  • user sets up their OTP credentials

  • user decides to log out and reset their password

  • user gets reset password email

  • clicking on the link in the email user gets redirected to browser where the first screen they see is configure OTP screen - strange since reset password should be a priority, at least it is looking at the authentication flow

    image
    image1434×785 40.5 KB

  • user tries to setup a new OTP but gets stuck in a loop - new configure OTP page is rendered each time they try to submit

Any ideas why this loop might be happening? Is it a known bug? I’ve seen posts where people recommend disabling “Reset - Conditional OTP“ in “reset credentials” auth flow but that presents a serious security risk as users would be able to login to our platform without actually using OTP.

If I didn’t provide enough info please let me know and Ill add more. Thanks in advance!

2

I fixed it!

Devil was in the details.

For the record, I find this UI quite unintuitive to work with, and it had caused me quite a lot of headaches and more hours debugging then I’m willing to admit.

How to fix the loop bug?

Make sure to click on settings of the execution named “Reset OTP” → “Action on OTP reset.“ and then change the default behavior which does nothing. I changed mine to “Remove all”.

Now, on every password reset, Keycloak will reset all OTP credentials set by the user and proceed with a fresh OTP setup as well as a new password setup.

Potential improvements

  1. Change default behavior of “Action on OTP reset.“ to anything other then remove none, as it’s counter intuitive. I would change it to “remove one”, even tho I’m not sure what that does in case there is more then one OTP set, which one will it remove?
  2. If anything, make it visible in the UI that the default action of Reset OTP is effectively disabled. I mocked up a little solution that would save a lot of headaches :slight_smile:

image