Reenroll new token if one was not added/authorized

Hi All!

We set up privacyIdea for MFA to use with Keycloack as it’s described in this posts:

We set up Totp QR code for scanning, but if a user by any reason refresh the page
token will be lost.

Could any anyone please tell if there is any way to enroll a new token (QR code) or enroll an existing one if a user has never scanned it?

Enrolling a 2nd factor via keycloak is not the very best idea. You might need to reconsider you enrollment strategy.

Or you somehow could check if a token was ever used at all.

Thank you very much for having look at my question.

As I wrote my goal is to show QR of TOTP token if:

  1. He has only one token
  2. User under this token made no authorization (token parameter “last_auth” indicates this)

Workflow is next:

  1. User open any page
  2. Gets redirected to the Keycloack
  3. Enters his user and password
  4. Then he sees the QR code of the TOTP token and field to enter otp value
  5. If the user leaves the page by any reason next time he will try to auth with keycloack (by entering user or password) he will not see the QR code of token that was not ever authorized
  6. In the PrivacyIdea for this user we gonna see one token with empty token info parameter “last_auth”

I would like to use the keylock privacy idea plugin and looks like I need to modify it
in order to solve the issue.
Could you please tell which will be correct way of solving the issue (showing to the user QR code if the user made no authorization yet):

  1. Delete the only one token and enroll new one and thus show QR code?
  2. Cache the QR code image and then show again under one user still was no authorized (but it’s probably a bit complicated to implement when keykloack is in clustering mode)
  3. Or there some other way to show QR code of the token that is already exist by API methods?

You should not do this in the keycloak plugin. We will never ever merge a complex logic in a plugin.

rule of thumb:
keep the plugins dumb

What you basically want to do is: Throw a token away (delete it), if it was not used within a certain timewindow after enrollment. You can do this in the backend by

  • setting a timestamp in tokeninfo during the enrollment (using even handler)
  • run a cron job with the token-janitor checking for this timestamp and the number of authentications.

This way you can automatically delete unused tokens in the backend without touching anything in the plugins or applications.

Let me elaborate the use case: when the user fails to enrol on the Keycloak page they would be able to re-enrol immediately until first successful OTP-backed login, as soon as other browser tab will be opened or current page reloaded. Do you see security concerns in a such approach?

Thank you for answering again.
Actually what I should do is not to lost the QR code when the page is refreshed and I’m making the first login to the system

I wrote a video that shows the issue:

You can see here that when I refresh the page/ or open close the browser/tab
qr code will not be show again when I did not authorization first time.

Could you please how to solve this issue?

when you enroll a token with keycloak, the token is already enrolled when the qr is displayed, independently from entering the OTP or not.
If you then refresh the page, the user already has a token and therefore no qr will be displayed and instead the OTP is requested.
Solving this “issue” would require a lot of logic in the plugin which is something we do not want to do.
Enrolling tokens using the plugin is something that is not recommended.


We’ve tried with QA code and some group of confident users and it appears that there are too much cases when person miss QR code, can’t login and thus can’t even reach out to technical support for MFA reset or enrolment assistance. Single chance enrolment is rude.

Hi, thanks for pointing this out.

We would not like users to go to any other resource like privacy idea to manually enroll new tokens. We would just like to have a single entry point where users can have tokens enrolled.
In our case, this will be the Keycloack that shows QR code with privacy idea plugin.

The issue with refreshing the page is that there’s no guarantee that the user added the token (QR code) to an authentication application that provides tokens (TOTP in our case). And in case if the user refreshes the page he will appear in case when there’s no other way to get new QR code to add for further TOTP token authentication.

What we would like is to show the same QR code every time until the user makes 1st authentication. Is there any possibility to create such workflow with keycloack plugin and privacy idea? Or maybe there are some security issues with that?