# Keycloak TOTP Authentication

div
div
Client SDK
div
Backend API
div
Mobile approve
div
SSO
div
Sub-journey
> Authenticates the user with Keycloak using TOTP code


## Description

This step authenticates the user by validating a TOTP code generated in the user's TOTP authenticator app against Keycloak–an external identity provider. It is used for Just-In-Time (JIT) migration scenarios where users are gradually migrated from Keycloak to Mosaic as they log in.

Before using this step, configure a [Keycloak connection](/guides/orchestration/external-connections/external_idp) in Integration Hub.

The user identifier and TOTP code must be obtained before initiating this step, such as using a [Collect information](/guides/orchestration/journeys/get_info_from_client) form. If the authentication succeeds, the journey continues to the next step. The authentication result is stored in the output variable and can be used in subsequent steps (e.g., to create a user in Mosaic).

If the authentication fails (e.g., incorrect or expired TOTP code), the journey proceeds to the failure branch (if specified); otherwise, the journey is aborted and an error is sent to the client.

## Configuration

div
| Field | Description |
|  --- | --- |
| **Keycloak integration** | The Keycloak connector to use for authentication, as configured in Integration Hub. |
| **User identifier** | Expression that yields the user's identifier in Keycloak. |
| **TOTP code** | Expression that yields the TOTP code entered by the user. |
| **Scope** | OAuth scopes to request from Keycloak. Default: `openid profile email`. |
| **Output variable** | Name of the variable that stores the authentication result returned by Keycloak. |
| **Error output variable** | Name of the variable that stores any errors returned by the step. |
| **Failure behavior** | Determines the behavior in case of failure, which either aborts the journey or proceeds to a failure branch of the control flow (default). |


Journey event data
This step can be configured to record step input and output data, or a custom payload, which is then surfaced in journey events in Journey Analytics for diagnostic purposes. For details, see [Additional data reporting](/guides/orchestration/getting-started/event_reporting).

## Example

Consider a migration journey that collects a user identifier and TOTP code using a [Collect information](/guides/orchestration/journeys/get_info_from_client) step. The Keycloak TOTP Authentication step validates the code against Keycloak. If successful, the output variable (`keycloak_tokens`) contains user information, including ID token and `user_info`, that can be used to create or update a user in Mosaic using the [Create user](/guides/orchestration/journeys/create_user) step.