Skip to content

Resolve realm display name localization placeholders in TOTP issuer name#48700

Open
mabagoury wants to merge 1 commit intokeycloak:mainfrom
mabagoury:fix/totp-issuer-name-localization
Open

Resolve realm display name localization placeholders in TOTP issuer name#48700
mabagoury wants to merge 1 commit intokeycloak:mainfrom
mabagoury:fix/totp-issuer-name-localization

Conversation

@mabagoury
Copy link
Copy Markdown
Contributor

@mabagoury mabagoury commented May 4, 2026

Resolve the realm display name before it is used as the issuer name when configuring TOTP credentials. This allows values that use localization placeholder syntax (e.g., ${realm.displayName}) to be resolved using the LOGIN theme messages and the user’s resolved locale, so authenticator applications show the localized display name instead of the raw placeholder.

Fixes #48680

@mabagoury mabagoury requested a review from a team as a code owner May 4, 2026 23:12
@mabagoury mabagoury force-pushed the fix/totp-issuer-name-localization branch from c27aa78 to 4f0f206 Compare May 4, 2026 23:21
@mabagoury
Copy link
Copy Markdown
Contributor Author

mabagoury commented May 4, 2026

I kept issuer resolution in services/.../TotpUtils.java instead of server-spi/.../OTPPolicy.java.

OTPPolicy is a suitable place for building the TOTP URI. However, resolving the realm display name requires:

  • LOGIN theme message bundles
  • the user’s resolved locale
  • theme/templating utilities (e.g., TemplatingUtil)

These dependencies belong to the service layer rather than the SPI layer. As a result, TotpUtils resolves the issuer string first and then delegates to OTPPolicy#getKeyURI(String issuer, String user, String secret).

Additionally, OTPPolicy#getKeyURI(RealmModel, UserModel, String) appears unused within this repository. Only TotpUtils used it. We could consider removing the unused overload, provided there is no external usage, since it is part of the public SPI surface and may have external consumers.

@keycloak-github-bot
Copy link
Copy Markdown

keycloak-github-bot Bot commented May 5, 2026

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.forms.BruteForceTest#testNoFailureResetForPermanentLockout

Keycloak CI - Base IT (5)

org.opentest4j.AssertionFailedError: Expected error event ==> expected: <true> but was: <false>
	at org.junit.jupiter.api.AssertionFailureBuilder.build(AssertionFailureBuilder.java:151)
	at org.junit.jupiter.api.AssertionFailureBuilder.buildAndThrow(AssertionFailureBuilder.java:132)
	at org.junit.jupiter.api.AssertTrue.failNotTrue(AssertTrue.java:63)
	at org.junit.jupiter.api.AssertTrue.assertTrue(AssertTrue.java:36)
...

Report flaky test

keycloak-github-bot[bot]
keycloak-github-bot Bot reviewed May 5, 2026
View reviewed changes
Copy link
Copy Markdown

@keycloak-github-bot keycloak-github-bot Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

mabartos
mabartos reviewed May 5, 2026
View reviewed changes
Comment thread services/src/main/java/org/keycloak/utils/TotpUtils.java
@mabagoury
Resolve realm display name localization placeholders in TOTP issuer name
a3a19f4 
Resolve the realm display name before it is used as the issuer name when configuring TOTP credentials. This allows values that use localization placeholder syntax (e.g., ${realm.displayName}) to be resolved using the LOGIN theme messages and the user’s resolved locale, so authenticator applications show the localized display name instead of the raw placeholder.

Fixes keycloak#48680

Signed-off-by: Mohammed Elbagoury <m.a.bagoury@gmail.com>
@mabagoury mabagoury force-pushed the fix/totp-issuer-name-localization branch from 4f0f206 to a3a19f4 Compare May 5, 2026 20:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mabartos mabartos mabartos left review comments

+1 more reviewer

@keycloak-github-bot keycloak-github-bot[bot] keycloak-github-bot[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

flaky-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Realm display name localization placeholder is not expanded when resolving OTP issuer name

2 participants

@mabagoury @mabartos