[Request for Feedback - KEYCLOAK-847] Step up Authentication

[Cornelia Lahnsteiner]

Hi all,
 

we would like to push the integration of the step up mechanism into Keycloak and have already implemented a prototype which can be tested. The implementation builds on Keycloak's design proposal [1]. 

Our code is available under [2] and a ReadMe is also available under [3] in order to configure the authentication flow and test the feature.

 
We would highly appreciate some feedback on our implementation that we can integrate before making a PR and we have an open question regarding full authentication when no acr value is specified in the request, which is described in more detail under [4]. It would be great if someone would give it a look.

Thanks,

Cornelia

[1] - https://github.com/keycloak/keycloak-community/blob/master/design/multi-factor-admin-and-step-up.md

[2] - https://github.com/primesign/keycloak/tree/KEYCLOAK-847-step-up-auth

[3] - https://github.com/primesign/keycloak/blob/KEYCLOAK-847-step-up-auth/docs/README_Step%20up%20mechanism.md 

[4] - https://github.com/primesign/keycloak/blob/KEYCLOAK-847-step-up-auth/docs/README_Step%20up%20mechanism.md#open-points

[Stian Thorgersen]

Hi Cornelia,

That's great. I hope that we can get the authentication wg setup as soon as possible. I would really like to take a look at your work if I can find the time, but will also identify someone from the Keycloak team that can review it properly.

With regards to the open points in the README it's been a while since I read the design proposal, but what I at least had in mind in my head was that there would be a default level for a realm, a default level for clients, as well as clients can optionally request a different level during the auth request. I'd also think that the user should only have to provide what is missing, and never have to do a full authentication again, unless that is explicitly requested.

--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/50845e32-2776-45ba-ad35-103a2782def0n%40googlegroups.com.

[Pedro Igor Craveiro e Silva]

Indeed, nice work. Quite surprised that changes are not so huge. Probably a good sign.

One thing that came into my mind after running the README.md is that we could make life easier for clients if they could just provide a scope. Where these scope would reference a client scope in Keycloak set with a specific LoA. So a request would not necessarily force clients to use the claims parameter but just the scope parameter.

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/CAJgngAdeaYja5DMZsRRQH1wp4sux29oSScXU56s_1E9UzVcV_A%40mail.gmail.com.

[Cornelia Lahnsteiner]

Thank you for your replies!

It would be great if someone from the Keycloak team could review our code and give us feedback so we can include it before a PR. Is there anyone in particular from your team we should get in touch with? Furthermore, we have added integration tests for the step up authentication. 

Regarding full authentication when no acr is requested: This was also our thought, that the user only has to provide what is missing. Therefore, if no acr is requested, we perform the first level of authentication and if the user is already authenticated, they do not have to perform the first level of authentication again. Configuring a default level on the client was an additional feature for us, as it does not solve the problem, because if nothing is configured on the client (some admins will not use step-up authentication and therefore it should not be a mandatory configuration field on the client), a fallback value has to be used, which would be level 1. And this behavior would amount to the same behavior that we have already implemented.

Regarding the translation of a scope to a specific LoA: We have already implemented an execution for this, as we need it for our use case. But since it is already mentioned here, I think it could be valuable for everyone and we will contribute the code.

Best regards,

Cornelia

[Cornelia Lahnsteiner]

I have created a PR for the support of the step up mechanism available under https://github.com/keycloak/keycloak/pull/7897. 

It would be great if someone could take a look at our work and review it. 

Thanks,

Cornelia

[COSTAS GEORGILAKIS]

Thanks  Cornelia Lahnsteiner for your PR. 

Acceptance of this PR is essential for our team Keycloak implementation also. Could Keycloak team review this PR as soon as possible? In order step authedication for OIDC Client at least be available at next Keycloak version ( 14.0.0.) .

I have made a comment in PR in order to improve it.

Moreover, we are interested to implement SAML implementation of the design document ( related issues of KEYCLOAK-847) based on this PR. However, for commit such a PR https://github.com/keycloak/keycloak/pull/7897/files should first be accepted. We may only need help in SAML client tests similar to the tests provided by this PR.