search

mayope / keycloakmigration

Manage your Keycloak configuration with code.
https://mayope.net
MIT License
108 stars 22 forks source link

Support Two-Factor Authentication for Keycloak API #26

Closed ulrikeschaefer3105 closed 3 years ago

ulrikeschaefer3105 commented 3 years ago

We want to use the keycloakMigrationTask but need an additional parameter to get a valid token, because our keycloak has two-factor authentication configured.

Here is an working example of getting a token with two-factor authentication via curl.

The parameter should be named totp and needs to be passed down from gradle task to the KeycloakLoginClient. https://github.com/klg71/keycloakmigration/blob/51ad4daa64bbee29861b68b8b34792af46331e79/keycloakapi/src/main/kotlin/de/klg71/keycloakmigration/keycloakapi/KeycloakLoginClient.kt#L18

stacktrace: Instance creation error : could not create instance for [type:Single,primary_type:'de.klg71.keycloakmigration.keycloakapi.KeycloakClient']: feign.FeignException: status 401 reading KeycloakLoginClient#login(String,String,String,String,String) feign.FeignException.errorStatus(FeignException.java:78) feign.codec.ErrorDecoder$Default.decode(ErrorDecoder.java:93) feign.SynchronousMethodHandler.executeAndDecode(SynchronousMethodHandler.java:149) feign.SynchronousMethodHandler.invoke(SynchronousMethodHandler.java:78) feign.ReflectiveFeign$FeignInvocationHandler.invoke(ReflectiveFeign.java:103) com.sun.proxy.$Proxy57.login(Unknown Source) de.klg71.keycloakmigration.keycloakapi.TokenHolder.<init>(TokenHolder.kt:19) de.klg71.keycloakmigration.keycloakapi.KeycloakClientInitKt.initKeycloakClient(KeycloakClientInit.kt:23) de.klg71.keycloakmigration.keycloakapi.KeycloakClientInitKt.initKeycloakClient$default(KeycloakClientInit.kt:21)

klg71 commented 3 years ago

Hey :) Thanks for opening this issue. I wonder if it is enough to add a totp parameter or if we need a method to somehow provide it to the task. I can imagine that it isn't possible to provide an automated deployment or jenkins task with this token.

ulrikeschaefer3105 commented 3 years ago

I think we need a method to pass it from migration task to KeycloakClient.

Maybe we can obtain an otp in an automated deployment, the token is only valid for 30 seconds, but thats not important now.

klg71 commented 3 years ago

Released with version 0.2.17, @ulrikeschaefer3105 could you please verify that this works for you?

ulrikeschaefer3105 commented 3 years ago

Works like a charm, thank you!