keycloak · pedroigor · Nov 6, 2025
@@ -30,7 +30,6 @@ public class UserRepresentation extends AbstractUserRepresentation{
     protected String self; // link
     protected String origin;
     protected Long createdTimestamp;
-    protected Boolean totp;
     protected String federationLink;
     protected String serviceAccountClientId; // For rep, it points to clientId (not DB ID)
 
@@ -68,7 +67,6 @@ public UserRepresentation(UserRepresentation rep) {
         this.self = rep.getSelf();
         this.createdTimestamp = rep.getCreatedTimestamp();
         this.enabled = rep.isEnabled();
-        this.totp = rep.isTotp();
         this.federationLink = rep.getFederationLink();
         this.serviceAccountClientId = rep.getServiceAccountClientId();
         this.credentials = rep.getCredentials();
@@ -103,16 +101,6 @@ public void setCreatedTimestamp(Long createdTimestamp) {
         this.createdTimestamp = createdTimestamp;
     }
 
-    @Deprecated
-    public Boolean isTotp() {
-        return totp;
-    }
-
-    @Deprecated
-    public void setTotp(Boolean totp) {
-        this.totp = totp;
-    }
-
     public List<CredentialRepresentation> getCredentials() {
         return credentials;
     }

@@ -43,6 +43,16 @@ To analyze rejected requests in the server log, enable debug logging for `org.ke
 
 To revert to the previoius behavior and to accept non-normalized URLs, set the option `http-accept-non-normalized-paths` to `true`. With this configuration, enable and review the HTTP access log to identify problematic requests.
 
+=== Method `UserRepresentation#isTotp` removed
+
+The method `isTotp` has been removed from the `UserRepresentation` class after a long period of deprecation.
+
+As an alternative to query whether a user has OTP configured, you can use the Admin REST API endpoint to get the user's
+credentials and check for the presence of a credential of type `otp`, `totp`, or `hotp`.
+
+If have JSON files you are using to import back up users that include the `totp` field, you can safely remove this field from your files as it is no longer used.
+Not doing that will cause failure during user import because the field is unrecognized.
+
 // ------------------------ Notable changes ------------------------ //
 == Notable changes
 

@@ -365,7 +365,6 @@ spec:
         createdTimestamp: 1645713689127
         username: test
         enabled: true
-        totp: false
         emailVerified: false
         credentials:
           - id: 5c2bcf07-204a-4c19-aa40-c652198b289a

@@ -361,7 +361,6 @@ spec:
         createdTimestamp: 1645713689127
         username: test
         enabled: true
-        totp: false
         emailVerified: false
         credentials:
           - id: 5c2bcf07-204a-4c19-aa40-c652198b289a

@@ -108,7 +108,6 @@ void createUserFile(String dir) throws IOException {
                     + "    \"emailVerified\" : false,\n"
                     + "    \"createdTimestamp\" : 1741358612691,\n"
                     + "    \"enabled\" : true,\n"
-                    + "    \"totp\" : false,\n"
                     + "    \"credentials\" : [ ],\n"
                     + "    \"disableableCredentialTypes\" : [ ],\n"
                     + "    \"requiredActions\" : [ ],\n"

@@ -465,7 +465,6 @@
     "emailVerified" : false,
     "createdTimestamp" : 1743805607623,
     "enabled" : true,
-    "totp" : false,
     "credentials" : [ {
       "id" : "8e62d04c-e44c-481e-b44b-35782f2e3d37",
       "type" : "password",
@@ -485,7 +484,6 @@
     "emailVerified" : false,
     "createdTimestamp" : 1743805613636,
     "enabled" : true,
-    "totp" : false,
     "credentials" : [ {
       "id" : "bcfa8d6a-1ae8-443c-abbb-e3202859a83f",
       "type" : "password",
@@ -505,7 +503,6 @@
     "emailVerified" : false,
     "createdTimestamp" : 1743805572107,
     "enabled" : true,
-    "totp" : false,
     "credentials" : [ ],
     "disableableCredentialTypes" : [ ],
     "requiredActions" : [ ],
@@ -518,7 +515,6 @@
     "emailVerified" : false,
     "createdTimestamp" : 1743805578209,
     "enabled" : true,
-    "totp" : false,
     "credentials" : [ ],
     "disableableCredentialTypes" : [ ],
     "requiredActions" : [ ],
@@ -531,7 +527,6 @@
     "emailVerified" : false,
     "createdTimestamp" : 1743805599455,
     "enabled" : true,
-    "totp" : false,
     "credentials" : [ ],
     "disableableCredentialTypes" : [ ],
     "requiredActions" : [ ],
@@ -547,7 +542,6 @@
     "emailVerified" : false,
     "createdTimestamp" : 1743805490979,
     "enabled" : true,
-    "totp" : false,
     "credentials" : [ {
       "id" : "17db31f1-23cd-4dcb-8e51-087990a56e8e",
       "type" : "password",
@@ -567,7 +561,6 @@
     "emailVerified" : false,
     "createdTimestamp" : 1743805497839,
     "enabled" : true,
-    "totp" : false,
     "credentials" : [ {
       "id" : "3a2b59b1-7c32-4666-bfb1-5146c22ca73b",
       "type" : "password",
@@ -587,7 +580,6 @@
     "emailVerified" : false,
     "createdTimestamp" : 1743805450207,
     "enabled" : true,
-    "totp" : false,
     "credentials" : [ ],
     "disableableCredentialTypes" : [ ],
     "requiredActions" : [ ],
@@ -600,7 +592,6 @@
     "emailVerified" : false,
     "createdTimestamp" : 1743805457226,
     "enabled" : true,
-    "totp" : false,
     "credentials" : [ ],
     "disableableCredentialTypes" : [ ],
     "requiredActions" : [ ],
@@ -613,7 +604,6 @@
     "emailVerified" : false,
     "createdTimestamp" : 1743805463925,
     "enabled" : true,
-    "totp" : false,
     "credentials" : [ ],
     "disableableCredentialTypes" : [ ],
     "requiredActions" : [ ],
@@ -626,7 +616,6 @@
     "emailVerified" : false,
     "createdTimestamp" : 1743808501834,
     "enabled" : true,
-    "totp" : false,
     "serviceAccountClientId" : "admin-permissions",
     "credentials" : [ ],
     "disableableCredentialTypes" : [ ],
@@ -643,7 +632,6 @@
     "emailVerified" : false,
     "createdTimestamp" : 1743805549803,
     "enabled" : true,
-    "totp" : false,
     "credentials" : [ {
       "id" : "b2e3961c-e7c0-43a1-a8be-e6109002ce15",
       "type" : "password",
@@ -663,7 +651,6 @@
     "emailVerified" : false,
     "createdTimestamp" : 1743805558506,
     "enabled" : true,
-    "totp" : false,
     "credentials" : [ {
       "id" : "f167a08f-f7a2-4fcf-8b8f-150157184936",
       "type" : "password",
@@ -683,7 +670,6 @@
     "emailVerified" : false,
     "createdTimestamp" : 1743805517953,
     "enabled" : true,
-    "totp" : false,
     "credentials" : [ ],
     "disableableCredentialTypes" : [ ],
     "requiredActions" : [ ],
@@ -696,7 +682,6 @@
     "emailVerified" : false,
     "createdTimestamp" : 1743805524876,
     "enabled" : true,
-    "totp" : false,
     "credentials" : [ ],
     "disableableCredentialTypes" : [ ],
     "requiredActions" : [ ],
@@ -709,7 +694,6 @@
     "emailVerified" : false,
     "createdTimestamp" : 1743805530104,
     "enabled" : true,
-    "totp" : false,
     "credentials" : [ ],
     "disableableCredentialTypes" : [ ],
     "requiredActions" : [ ],

@@ -47,7 +47,6 @@
 import org.keycloak.events.admin.AdminEvent;
 import org.keycloak.events.admin.AuthDetails;
 import org.keycloak.models.*;
-import org.keycloak.models.credential.OTPCredentialModel;
 import org.keycloak.models.light.LightweightUserAdapter;
 import org.keycloak.provider.ProviderConfigProperty;
 import org.keycloak.representations.account.CredentialMetadataRepresentation;
@@ -247,7 +246,6 @@ public static UserRepresentation toRepresentation(KeycloakSession session, Realm
             rep.setEnabled(user.isEnabled());
         }
         rep.setEmailVerified(user.isEmailVerified());
-        rep.setTotp(user.credentialManager().isConfiguredFor(OTPCredentialModel.TYPE));
         rep.setDisableableCredentialTypes(user.credentialManager()
                 .getDisableableCredentialTypesStream().collect(Collectors.toSet()));
         rep.setFederationLink(user.getFederationLink());

@@ -118,7 +118,6 @@ public UserConfigBuilder federatedLink(String identityProvider, String federated
     public UserConfigBuilder totpSecret(String totpSecret) {
         rep.setCredentials(Collections.combine(rep.getCredentials(), ModelToRepresentation.toRepresentation(
                 OTPCredentialModel.createTOTP(totpSecret, 6, 30, HmacOTP.HMAC_SHA1))));
-        rep.setTotp(true);
         return this;
     }
 

@@ -74,7 +74,6 @@ public void testFullRepresentationOnSearches() {
         users = realm.admin().users().search("user", null, null, true);
         user = users.get(0);
         assertThat(user.getRequiredActions(), nullValue());
-        assertThat(user.isTotp(), nullValue());
     }
 
     @Test

@@ -268,7 +268,6 @@
     {
       "username": "service-account-test-app-service-account",
       "enabled": true,
-      "totp": false,
       "emailVerified": false,
       "email": "[email protected]",
       "serviceAccountClientId": "test-app-service-account",

@@ -292,7 +292,6 @@
     "createdTimestamp" : 1578311988958,
     "username" : "testuser",
     "enabled" : true,
-    "totp" : false,
     "emailVerified" : false,
     "attributes" : {
       "key1" : [ "value1" ],

@@ -145,8 +145,7 @@ public void configureTestRealm(RealmRepresentation testRealm) {
             findTestApp(testRealm).setAttributes(Collections.singletonMap(Constants.ACR_LOA_MAP, getAcrToLoaMappingForClient()));
             UserRepresentation user = RealmRepUtil.findUser(testRealm, "test-user@localhost");
             UserBuilder.edit(user)
-                    .totpSecret("totpSecret")
-                    .otpEnabled();
+                    .totpSecret("totpSecret");
         } catch (IOException e) {
             throw new RuntimeException(e);
         }
@@ -161,8 +160,7 @@ public void beforeTest() {
         userRep.setId(null);
         UserBuilder.edit(userRep)
                 .password(generatePassword("test-user@localhost"))
-                .totpSecret("totpSecret")
-                .otpEnabled();
+                .totpSecret("totpSecret");
         Response response = testRealm().users().create(userRep);
         Assert.assertEquals(201, response.getStatus());
         response.close();

@@ -56,8 +56,7 @@ public void configureTestRealm(RealmRepresentation testRealm) {
         testRealm.setOtpPolicyDigits(6);
         UserRepresentation user = RealmRepUtil.findUser(testRealm, "test-user@localhost");
         UserBuilder.edit(user)
-                   .hotpSecret("hotpSecret")
-                   .otpEnabled();
+                   .hotpSecret("hotpSecret");
     }
 
     @Rule

@@ -71,8 +71,7 @@ public void configureTestRealm(RealmRepresentation testRealm) {
         super.configureTestRealm(testRealm);
         UserRepresentation user = RealmRepUtil.findUser(testRealm, "test-user@localhost");
         UserBuilder.edit(user)
-                   .totpSecret("totpSecret")
-                   .otpEnabled();
+                   .totpSecret("totpSecret");
     }
 
     @Rule

@@ -143,8 +143,7 @@ private UserRepresentation createTestUser(String username, String password, Stri
                 .password(password);
 
         if (totpSecret != null){
-            builder.totpSecret(totpSecret)
-                    .otpEnabled();
+            builder.totpSecret(totpSecret);
         }
 
         return builder.build();

@@ -121,8 +121,7 @@ private UserRepresentation createTestUser(String username, String password, Stri
                 .password(password);
 
         if (totpSecret != null){
-            builder.totpSecret(totpSecret)
-                    .otpEnabled();
+            builder.totpSecret(totpSecret);
         }
 
         return builder.build();

@@ -155,7 +155,6 @@ public UserBuilder secret(CredentialRepresentation credential) {
         }
 
         rep.getCredentials().add(credential);
-        rep.setTotp(true);
         return this;
     }
 
@@ -171,11 +170,6 @@ public UserBuilder hotpSecret(String hotpSecret) {
         return secret(credential);
     }
 
-    public UserBuilder otpEnabled() {
-        rep.setTotp(Boolean.TRUE);
-        return this;
-    }
-
     public UserBuilder addGroups(String... group) {
         if (rep.getGroups() == null) {
             rep.setGroups(new ArrayList<>());

@@ -338,7 +338,6 @@
     "createdTimestamp" : 1476260086682,
     "username" : "admin",
     "enabled" : true,
-    "totp" : false,
     "emailVerified" : false,
     "credentials" : [ {
       "type" : "password",
@@ -361,7 +360,6 @@
     "createdTimestamp" : 1476260405571,
     "username" : "master-test-user",
     "enabled" : true,
-    "totp" : false,
     "emailVerified" : false,
     "credentials" : [ ],
     "requiredActions" : [ ],
@@ -1742,7 +1740,6 @@
     "createdTimestamp" : 1476260593350,
     "username" : "migration-test-user",
     "enabled" : true,
-    "totp" : false,
     "emailVerified" : false,
     "credentials" : [ {
       "type" : "totp",
@@ -1776,7 +1773,6 @@
     "createdTimestamp" : 1476260593350,
     "username" : "offline-test-user",
     "enabled" : true,
-    "totp" : false,
     "emailVerified" : false,
     "credentials" : [ {
       "type" : "password",

@@ -518,7 +518,6 @@
     "id" : "5e09dbcc-2277-4f42-b258-5a2d03061c73",
     "username" : "john",
     "enabled" : true,
-    "totp" : false,
     "emailVerified" : false,
     "credentials" : [ {
       "id" : "e55dcbf5-a385-4989-9b5c-1662760516db",
@@ -535,7 +534,6 @@
     "id" : "ae8e2cd7-c68c-4ce3-8c76-28f1dff8566d",
     "username" : "mike",
     "enabled" : true,
-    "totp" : false,
     "emailVerified" : false,
     "credentials" : [ {
       "id" : "a16e66c3-7f37-461f-9b59-4883b9d5daef",