How can be freeze send emailOTP when browser refresh

We are trying to deploy keycloak with privacyideaidea plugin using EmailOTP for user.

1st & 2nd step login are smooth. But we have a question,

If user completed 1st step challenge login (username & password), then the browser is waiting the email token for input. In this moment, user press the “refresh button”, the browser page refreshed. Meanwhile, privacyidea server will be trigger the 1st step challenge again & send a new emailOTP to user mailbox. Even user click refresh, send emailOTP policy shall be trigger & process.

Do we have any method can be freeze 2nd+ time trigger the ‘send emailOTP policy’?

For idea workflow

  1. user 1st time trigger the ‘send emailOTP policy’, emailOTP send out normally.
  2. Then policy will be freeze in 1 min as follow for this username.
  3. If same username who refresh the browser, even trigger the 1st step challenge, since the policy freeze, so no any emailOTP send out in this window time period.
  4. besides, 1st emailOTP still valid.
  5. If user didn’t get any emailOTP in 1st time, he waited 1 min can be refresh the browser again or retry login keycloak. This time, he can get emailOTP since policy auto unfreeze for this username as like as go back to workflow 1.

This is our configure:
privacyidea 3.7.1
keycloak 15.1.1
privacyidea keyloak plugin 1.0.1

keycloak plugin configure:


active: **True**
scope: **authentication**
realm: **[]**
adminrealm: **[]**
adminuser: **[]**
resolver: **['']**
pinode: **[]**
check_all_resolvers: **False**
user: **[]**
client: **[]**
time: ****
conditions: **[('userinfo', 'email', 'matches', '.*', False), ('userinfo', 'email', 'in', '.*,.*,.*', False)]**
priority: **50**
action: **{'auth_cache': '1h/5m', 'challenge_response': 'email', 'emailsubject': 'Email OTP', 'emailtext': 'file:/etc/privacyidea/cfg/emailotp_template4.html', 'otppin': 'userstore'}**

freeze? What do you mean with that?

I do not understand this sentence:

Do we have any method can be freeze 2nd+ time trigger the ‘send emailOTP policy’?

Thank you for your reply.

Can we have any method to detect, if same username trigger the challenge again in a short period (e.g. within 1 min.), if yes, system can be bypass to process “send emailOTP policy”. So, no more emailOTP will send out to user mailbox in this short period.

This is not possible. I think you should fix your login process.

The OTP value sent via Email or SMS is bound to this login session.
If the user creates a new session, then the previous OTP value is not valid for the new session anymore (depending on your client configuration).
So even if privacyIDEA would not send another Email anymore, authentication is not guaranteed to work with the old 2nd factor.