Test realm with OTP credential

gkozyryatskyy · February 21, 2024, 3:49pm

Hello guys!

Im using test keycloak instance in my project tests
For creating test realm on startup I have realm.json
Im my realm.json I have users with credentials. Example:

{
      "id": "09960311-3699-4d79-8d2d-2ab3abee1d17",
      "username": "otp-user",
      "enabled": true,
      "emailVerified": true,
      "totp": true,
      "firstName": "otp-user-first-name",
      "lastName": "otp-user-last-name",
      "email": "test-email",
      "attributes": {
        "tenantId": [
          "1"
        ]
      },
      "credentials": [
        {
          "type": "password",
          "value": "admin-user"
        },
        {
          "type": "otp",
          "value": "admin-user"
        }
      ],
      "realmRoles": [
        "test-role"
      ]
    }

with this user Im trying to add "type": "otp" credential, but it is not created with the test realm.

Do anyone know (or have example) in what format otp credential should be in realm.json, for being created with the import process? Is it even possible?

davsum · February 21, 2024, 10:07pm

I was able to create an OTP credential via the Admin REST API using a json file with a credentials element with the following:

“credentials”: [{“type”: “password”, “value”: “[PASSWORD]”, “temporary”: “false”},{“type”: “totp”, “secretData”: “[SECRET DATA]”, “userLabel”: “api created”, “digits”: “6”, “period”: “30”, “algorithm”: “HmacSHA1”, “counter”: “0”}]

This isn’t perfect as we have been unable to successfully authenticate using OTP using a python OTP library, but it suited our needs to be able to create bulk accounts for load testing in realms using username and password authentication that required OTP be configured and forced setting OTP after a username and password authentication. May be possible to create a functional OTP credential by finding what else I am missing or doing wrong with the attributes and value I provided, but this will at provide a starting point on what worked for me.

This is on keycloak 15.0.8

gkozyryatskyy · February 22, 2024, 10:00am

This worked! Thank you!
You save me a day of looking into the sources for the import function.

P.S. here is a quoted result for those who don`t want to replace bracers

"credentials": [
        {
          "type": "password",
          "value": "admin-user"
        },
        {
          "type":"totp",
          "secretData":"admin-user",
          "userLabel":"api created",
          "digits":"6",
          "period":"30",
          "algorithm":"HmacSHA1",
          "counter":"0"
        }
      ]

Topic		Replies	Views
"subType" doesn't exist in credential_data Getting advice authentication	1	70	June 22, 2024
Migrate credentials type otp between installations Configuring the server	0	22	October 30, 2024
Use OTP validation using request Getting advice authentication	6	3204	March 27, 2024
Configure OTP enabled by default Getting advice authentication	0	370	April 3, 2023
API to register and test WebAuthN/TOTP/(any) credential?	9	1076	February 27, 2024

Test realm with OTP credential

Related topics