I want to protect a high-level risk feature with 2FA. Historically, we use 2FA SMS. I want to propose the same feature but ideally, I wish to be able to integrate also native Keycloak OTP authenticator (more secure). That' s why based on keycloak-sms-authenticator-sns https://github.com/nickpack/keycloak-sms-authenticator-sns> , I have improved this authenticator (I will make a merge request soonly).
I have searched in Keycloak 3.4.3 documentation but using the same realm, I haven't seen any feature to ask 2FA when the final user want to access to a specific resource. Role mechanism allows managing access (403 - 200) but it seems that it isn't cover my use case. I 'm not sure that UMA 2.0 could be offering this feature. Moreover, It isn't yet implemented. Level of assurance seems very well but it isn't yet implemented and it would be difficult to do it.
I could include a servlet filter on the business application (JBoss adapter) to route user to 2FA authenticator when he wants to access the resource. But in this case, I have to propagate a state between Keycloak and Java adapter to not ask 2FA code for each access. It could be a little bit tricky in cluster mode (stateless service).
Have you any idea to cover this use case easily based on native keycloak features? If that isn't the case, in your opinion, what is the best solution (see above)? (easiest integration for maintainability, clustering support and 2FA technic agnostic)
Thank you for sharing your experience.
It seems that you are looking for a kind of Step-up authentication. This isn't yet implemented in Keycloak, but there's an existing jira ticket for this here.
There was also already a discussion on the mailinglist (and maybe some other threads I didn't find currently).
I also stumbled upon a "Conditional OTP Form Authenticator" from Thomas Darimont, a very active Keycloak community commiter.
HTH in some way.
Keycloak will support OOTB step-up authentication in the next release (keycloak version 17). Nowadays this feature is not officially released, but you can test it building keycloak from source (branch: main).
On the other hand, here is article about Keycloak step-up authentication-for Web Apps and API with some findings, perhaps It would help you.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With