Send OTP codes via API

[AlbertMirSoftonic]

We would like to know how to use the API to trigger the sending of an OTP code via email, just like we can do with the Magic Links:

POST http://localhost:8080/realms/myrealm/magic-link

{
  "email": "myemailaddress",
  "client_id": "myclientid",
  "redirect_uri": "http://localhost:8080/",
  "expiration_seconds": 3600,
  "send_email": true
}

Thanks!

[xgp]

Thanks for the question @AlbertMirSoftonic . In the case of email OTP, it's not possible to invoke via API.

In the case of magic link, the link that is created can be opened in any browser, regardless of whether or not it uses the same authentication session. This is because it uses an "Action Token" that encodes all of the necessary information to create a new session and log in the user.

In the case of email OTP, once the code has been created and sent, it stores it in the authentication session (in something called an "Auth Note"), which is specific to the browser and session that is already underway.

[AlbertMirSoftonic]

We're building a native mobile app and we need a simple mechanism to authenticate users using Keycloak without using the browser (only the rest API). And we thought that the best approach here is to send users an OTP via email and use this OTP to get an access token since we consider the email account a valid verified entity.

Is there a way to exchange the OTP with an access token, without using the website, or can give us some light on reaching this mobile app authentication?

Thanks @xgp!

[xgp]

I understand what you're going for, but the "without using the browser (only the rest API)" is generally not a recommended security practice. I would suggest using a standard flow with a library like AppAuth (e.g. for iOS: https://github.com/openid/AppAuth-iOS).

It certainly would be possible for you to generate an OTP, save it as a Credential, and then expose a REST extension where you could send the username and OTP in exchange for a token. A lot of the primitives for what you'd have to build are there in this code. However, you'll be on your own for maintaining it, as it's a big risk if you get it wrong.

[AlbertMirSoftonic]

The thing is that apps like AppAuth open a browser to authenticate users and this is exactly what we try to avoid. Apart from the fact that this does not fit our product requirements, we consider that this approach is not too simple in terms of UX.

Do you know if there's any other more-native approach (perhaps using an SDK —like on Firebase) to login using the OTP code or even the Magic Link?

[xgp]

If you absolutely can't use the browser, I can't think of a great way to do it.

There's OIDC password grant type, which would allow you to exchange a username/password for a token via the Keycloak client OIDC endpoint.

[AlbertMirSoftonic]

Ok. Thanks a lot for all your clarifications! 🙂

[xgp]

Also, on page 101 of the Keycloak book, there's a suggestion for how to use custom URI schemes. E.g. org.acme.app://oauth2/provider-name, which has a suggestion for how to open a temporary web server on the app at a temporary loopback port in order to get the code to do the code-to-token flow. This would work likely work with a magic link with the correct app URI as the redirect.

Anyway, it's not my content to copy here, but if you have the book, it might be one route to consider.