Reset only OTP via custom login theme

87 views
Skip to first unread message

Daniel Wörner

unread,
Feb 13, 2026, 3:39:45 AM (8 days ago) Feb 13
to Keycloak User
Hi,

I'm trying to implement a way to reset only the OTP device as per our customers wish.
To do so my team and I had the following concept:
1. add a button to login-otp to trigger the reset-credentials flow with a custom client_id
2. add a custom flow that only resets the otp
3. override the reset-credentials flow with the custom flow only for the newly created client.

This didn't work sadly, cause the generated URL in the theme already sets the cliend_id to the standard one, so any appended parameters make the URL invalid, since the cliend_id parameter will be double.

I had the idea to have the button directly send REST-calls to the Keycloak API, but am unsure if and how that would even work.

So far we haven't found a solution, so I hope some of you may have one.

Best Regards,
Daniel

Saahil Rout

unread,
Feb 17, 2026, 2:19:33 AM (4 days ago) Feb 17
to Daniel Wörner, Keycloak User
It’s an easy fix.  Contact me at opera...@techquipt.in

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/c4c2c4d1-a91d-4730-ac10-b9214a135be0n%40googlegroups.com.

Saahil Rout

unread,
Feb 17, 2026, 5:20:40 AM (4 days ago) Feb 17
to Daniel Wörner, Keycloak User
If the goal is to reset only the OTP device (not full credentials), the correct approach is:


Create a custom Required Action Provider.
Implement logic that:
Removes the user’s OTP credential

 (user.credentialManager().removeStoredCredentialById(...))

Or resets the configured OTP credential type.

Register it in META-INF/services/org.keycloak.authentication.RequiredActionProviderFactory

Deploy as a custom SPI.


Trigger it using:


kc_action=your-custom-action
appended to the existing login URL.

This avoids touching client_id entirely and works within the existing client context.


You can trigger it via:


/realms/{realm}/protocol/openid-connect/auth?
client_id=existing-client
&response_type=code
&kc_action=reset-otp


No need for a second client.

Let me know if it works



With Regards

Reply all
Reply to author
Forward
0 new messages