Keycloak 2fa via SMS using external REST Api

Question

I have been trying to implement 2fa using OTP. Till now i am successful doing it via browser flow using keycloak interface to login. Keycloak provides an API to give the access token after passing username, password & client-secret,

i.e. http://localhost:8080/realms/SpringBootKeycloak/protocol/openid-connect/token

Is there any any external api available to trigger my custom flow of sending OTP and verifying it, if not how can i implement this?

Answer 1

Keycloak doesn't provide any API to verify the OTP.

Keycloak provides an API to give the access token after passing username, password & client-secret

Most likely you're talking here about Resource owner password credentials grant (Direct Access Grant).

The latest OAuth 2.0 Security Best Current Practice spec actually recommends against using the Password grant entirely, and it is being removed in the OAuth 2.1 update. (source).

Unless you have more specific requirements rather than just login and OTP, I'd recommend you to use a regular authorization code flow instead as a default way of authorization. Using this flow you'd be redirected to Keycloak login page and configure OTP to be displayed there without using Keycloak APIs.