Authenticates the user with Keycloak using TOTP code
This step authenticates the user by validating a TOTP code generated in the user's TOTP authenticator app against Keycloak–an external identity provider. It is used for Just-In-Time (JIT) migration scenarios where users are gradually migrated from Keycloak to Mosaic as they log in.
Before using this step, configure a Keycloak connection in Integration Hub.
The user identifier and TOTP code must be obtained before initiating this step, such as using a Collect information form. If the authentication succeeds, the journey continues to the next step. The authentication result is stored in the output variable and can be used in subsequent steps (e.g., to create a user in Mosaic).
If the authentication fails (e.g., incorrect or expired TOTP code), the journey proceeds to the failure branch (if specified); otherwise, the journey is aborted and an error is sent to the client.
| Field | Description |
|---|---|
| Keycloak integration | The Keycloak connector to use for authentication, as configured in Integration Hub. |
| User identifier | Expression that yields the user's identifier in Keycloak. |
| TOTP code | Expression that yields the TOTP code entered by the user. |
| Scope | OAuth scopes to request from Keycloak. Default: openid profile email. |
| Output variable | Name of the variable that stores the authentication result returned by Keycloak. |
| Error output variable | Name of the variable that stores any errors returned by the step. |
| Failure behavior | Determines the behavior in case of failure, which either aborts the journey or proceeds to a failure branch of the control flow (default). |
This step can be configured to record step input and output data, or a custom payload, which is then surfaced in journey events in Journey Analytics for diagnostic purposes. For details, see Additional data reporting.
Consider a migration journey that collects a user identifier and TOTP code using a Collect information step. The Keycloak TOTP Authentication step validates the code against Keycloak. If successful, the output variable (keycloak_tokens) contains user information, including ID token and user_info, that can be used to create or update a user in Mosaic using the Create user step.