2FA & operation confirmation

113 views
Skip to first unread message

Alexey Titorenko

unread,
Apr 21, 2021, 4:50:19 AM4/21/21
to Keycloak User
Hello guys!

Could someone please help me with the following use case?

We have a requirement to implement 2-factor authentication for our web application using SMS for OTP delivery. Also, after a user is authenticated, we need to use OTP to confirm some sensitive operations as part of the authorisation logic. We would like to implement as much of this functionality in Keycloak as possible.

As I understand, in order to implement 2FA using SMS for OTP delivery, we need to provide custom authenticator. We could use existing OTP authenticator and add code to send OTP with SMS.

The second (authorisation) part seems to be harder. It has two steps:
  1. generate and send operation confirmation code, and also save it for further authorisation decision
  2. receive the code from a user and send it as a part of an attribute based authorisation call back to Keycloak. Here we need to define a policy in Keycloak, which loads previously saved confirmation code (that was send to the user) and compares it with the received one.
So, to implement the authorisation part, we need:
1. to implement custom REST endpoint in Keycloak which does the 1st step, that is, accesses user's data, generated new OTP, sends it and saves it locally
2. during the authorisation call, we need to somehow access that previously saved confirmation code for authorisation check.

Am I correct with the approach? Is it possible to implement? 

Thank you!

Alexey

Juan Pablo Gardella

unread,
Apr 21, 2021, 5:06:44 AM4/21/21
to Alexey Titorenko, Keycloak User
Hi Alexey,

I was in a similar situation time ago. I could not find help on this topic. I finally created some custom some rest endpoint to validate the code. Sample code here: https://groups.google.com/g/keycloak-user/c/jayFvRIlybM

Juan

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/4f863186-a6a4-4b6f-b0f8-98a95322a194n%40googlegroups.com.

Alexey Titorenko

unread,
Apr 30, 2021, 6:52:32 AM4/30/21
to Keycloak User
Hi Juan.

Thank you for your response. Will also try this exercise :)

Alexey  

среда, 21 апреля 2021 г. в 12:06:44 UTC+3, gardella...@gmail.com:

Thiago Diogo

unread,
Apr 30, 2021, 7:26:55 AM4/30/21
to Alexey Titorenko, Keycloak User
Hi Alexey,
here is a nice reference on the SMS feature: https://github.com/UKGovernmentBEIS/keycloak-sms-authenticator-sns
Hope this helps.
Best,

Att, Thiago Diogo



To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/77b82b32-db60-45dc-a482-d49348fb5dafn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages