Details

    • Sprint:
      Keycloak Sprint 35
    • Steps to Reproduce:
      Hide

      My set up is

      • One user on the master realm
      • They have 2 factor authentication set up
      • I can login to the keycloak admin console via a browser successfully by providing the one-time access code provided by either Google Authenticator or FreeOTP

      Here is my test script

      #!/bin/bash
      
      KEYCLOAK_URI=https://my.keycloak.instance
      KEYCLOAK_USER=myUsername
      KEYCLOAK_PWD=myPassword
      TOTP=oneTimeCodeFromFreeOTP
      
      curl -i \
      -d "client_id=admin-cli" \
      -d "username=$KEYCLOAK_USER" \
      -d "password=$KEYCLOAK_PWD" \
      -d "grant_type=password" \
      -d "totp=$TOTP" \
      $KEYCLOAK_URI/auth/realms/master/protocol/openid-connect/token
      

      So the above works for an instance of keycloak v6 with an identical user set up but doesn't with v8.

      If I remove 2 factor auth from this user account and try the above script with the totp parameter removed it gives me the access token as expected.

      Show
      My set up is One user on the master realm They have 2 factor authentication set up I can login to the keycloak admin console via a browser successfully by providing the one-time access code provided by either Google Authenticator or FreeOTP Here is my test script #!/bin/bash KEYCLOAK_URI=https://my.keycloak.instance KEYCLOAK_USER=myUsername KEYCLOAK_PWD=myPassword TOTP=oneTimeCodeFromFreeOTP curl -i \ -d "client_id=admin-cli" \ -d "username=$KEYCLOAK_USER" \ -d "password=$KEYCLOAK_PWD" \ -d "grant_type=password" \ -d "totp= $TOTP " \ $KEYCLOAK_URI/auth/realms/master/protocol/openid-connect/token So the above works for an instance of keycloak v6 with an identical user set up but doesn't with v8. If I remove 2 factor auth from this user account and try the above script with the totp parameter removed it gives me the access token as expected.
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      In keycloak v6 I was able to obtain an access_token by providing totp in the request to the /auth/realms/master/protocol/openid-connect/token endpoint.

      In keycloak v8 the same request is failing

      {"error":"invalid_grant","error_description":"Invalid user credentials"}
      

      Has the way we do this changed in v8? If so I couldn't find it in the documentation.

      If not then I think this might be a bug.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                mabartos Martin Bartos
                Reporter:
                jonhaynes Jon Haynes
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: