Skip to content

Jeel-Org/keycloak-otp-webhook

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
.github/workflows
.github/workflows
 
 
src
src
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
pom.xml
pom.xml
 
 

Repository files navigation

Keycloak OTP Webhook Authenticator

A Keycloak authentication provider which will generate random OTPs, save them with Keycloak for verification, and trigger an external webhook (for example, of any SMS or Email service which can be used to send these OTPs to the user)

Step 1 Add Authenticator

Step 1 Add Authenticator

Step 1 1

Step 2 Configure Authenticator

Parameters that can be configured-

  1. OTP length: Length of the OTP to be generated, OTP generation is done via org.keycloak.common.util.SecretGenerator.getInstance().randomString()
  2. Expiry Seconds: OTP Expiry in seconds after which the OTP will expire and verification must be restarted
  3. User Identifying Attribute: The name of the user attribute whose value will be sent to the webhook in request body, (this will be used to identify the user)
  4. Allowed OTP Characters: All the OTP Characters allowed, for example: 0123456789 for the OTP to be numeric only
  5. OTP Sending Webhook: The url which will be triggered when an OTP is generated for authentication (see Webhook SPI Integration below)
  6. Timeout Seconds: Seconds after which the OTP must expire
  7. Enable Logging: To enable logging of all webhook requests and responses

Keycloak Auth Notes used-

  1. OTP: The OTP which will be used for verification
  2. OTP_EXPIRY: The OTP Expiry EPOCH Timestamp, after which the OTP will expire and verification must be restarted

User Parameters used-

  1. ENABLE_OTP: Default true, OTP Authenticator can be skipped for a user by setting this parameter as false

Step 2 Configure Authenticator

Step 3 Set User Identifying Attribute

Step 3 Set User Identifying Attribute

Authnetication UI

Step 4

Webhook SPI Integration

To send a request to provided webhook, Java 11's internal HttpClient.newHttpClient() is generated on startup and used further 'Timeout Seconds' provided in Authenticator config are configured with every request sent via HttpClient 'Enable Logging' parameter ensures logging of request and response between Keycloak and the webhook Request Body is a JSON request with the following parameters-

  1. otp: The OTP for verification
  2. userIdentifier: The value of 'User Identifying Attribute' for the user who is being authenticated
  3. otpExpiryTimestamp: The OTP Expiry EPOCH Timestamp after which the OTP will expire Request Method used is POST

Any response status code >= 400 from the webhook will be considered a failure and an error message will be displayed to the user

About

Keycloak authentication provider that uses a webhook provided to send OTPs to the user

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 1

keycloak-otp-webhook-v0.0.0.jar Latest
Nov 6, 2025

Packages

No packages published

Languages

  • Java 92.1%
  • FreeMarker 7.9%