optionally make OTP input text instead of password
Opened this issue · 6 comments
Hello,
the current login form sets the type for the otp field to type="password":
This causes password managers to not be able to properly differentiate between login and otp fields. The otp login form, shipped by Keycloak, does already correctly set the field to type="text":
https://github.com/keycloak/keycloak/blob/82808e81f2b571100888a4847f54b96d3b70d271/themes/src/main/resources/theme/base/login/login-otp.ftl#L32
Is there a strong reason to explicitly set it to type="password"
~ mat1010
Hi, what does your password manager do that is causing problems?
While it is true that other forms often have the OTP as cleartext input, i can think of a reason why we would not want it and that is because the PIN could be seen. In a way, it is a password field when using PIN+OTP.
I'm using keepassxc as password manager. But the same is true for the integrated MacOS password manager.
It receives the url e.g. https://auth.example.org and finds a username + password input field within that site. I have a username, password and totp key configured for this specific site which causes keepassxc to correctly fill out the login form ✔️
I'm now being redirected to the otp page, which also lives on https://auth.example.org. There's, again, a field with type password which resolves again to the password configured for my user, instead of the otp key.
Since there's no field with type otp, the password managers usually expect a text field for the otp token.
Ok, you probably will have to either make your password manager ignore that field or change it to text locally for your keycloak. Like i said, we cannot change it to text currently.
Ok, that's sad. Would you potentially consider having it configurable in the future?
Yes we can think about it for the next version.
Thanks a lot. I'm looking forward to it.