I have already implemented the User Storage SPI to authenticate the users present in my external DB. Now, I want to use the TOTP authentication for the same users. I tried to setup 2FA using QR Code provided in Keycloak’s Authenticator tab and I can see the record in fed_user_credential table as well but that record does not appear in the Authenticator tab and the whole behaviour is very strange.
Below is the code of supportsCredentialType method present in UserStorageProvider SPI
I’ve been using 2FA with custom SPIs for a while now. Username case can be an issue with the Keycloak functions. I haven’t noticed a problem joining with 2FA but did run into problems with separate Identity Providers and a SPI with upper-case usernames. To fix this, I converted the external store to lower case or wrote special SQL that applies case changing functions.
Can you get OTP to work if you create a regular Keycloak user? This is a user not involving the SPI.
Hi Carl, It all works fine for the newly created users where KC stores the details into user_entity table and OTP information goes into credential table. Also I use email as username and I can confirm that is in lower case.
When you say you are using with Custom SPI, which SPI you have developed?
It’s this project here which I’m putting out on GitHub for general use. It’s a Keycloak JDBC SPI based on the JDBC Realms I used in WildFly where you use SQL to expose user data structures.