Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Keycloak: 2FA protection for a specific resource

Tags:

keycloak

multi-factor-authentication

I want to protect a high-level risk feature with 2FA. Historically, we use 2FA SMS. I want to propose the same feature but ideally, I wish to be able to integrate also native Keycloak OTP authenticator (more secure). That' s why based on keycloak-sms-authenticator-sns https://github.com/nickpack/keycloak-sms-authenticator-sns> , I have improved this authenticator (I will make a merge request soonly).

I have searched in Keycloak 3.4.3 documentation but using the same realm, I haven't seen any feature to ask 2FA when the final user want to access to a specific resource. Role mechanism allows managing access (403 - 200) but it seems that it isn't cover my use case. I 'm not sure that UMA 2.0 could be offering this feature. Moreover, It isn't yet implemented. Level of assurance seems very well but it isn't yet implemented and it would be difficult to do it.

I could include a servlet filter on the business application (JBoss adapter) to route user to 2FA authenticator when he wants to access the resource. But in this case, I have to propagate a state between Keycloak and Java adapter to not ask 2FA code for each access. It could be a little bit tricky in cluster mode (stateless service).

Have you any idea to cover this use case easily based on native keycloak features? If that isn't the case, in your opinion, what is the best solution (see above)? (easiest integration for maintainability, clustering support and 2FA technic agnostic)

Thank you for sharing your experience.

like image 577
Malys Avatar asked Mar 22 '18 09:03

Malys

2 Answers

It seems that you are looking for a kind of Step-up authentication. This isn't yet implemented in Keycloak, but there's an existing jira ticket for this here.

There was also already a discussion on the mailinglist (and maybe some other threads I didn't find currently).

I also stumbled upon a "Conditional OTP Form Authenticator" from Thomas Darimont, a very active Keycloak community commiter.

HTH in some way.

like image 200
dasniko Avatar answered Sep 17 '22 17:09

dasniko

Keycloak will support OOTB step-up authentication in the next release (keycloak version 17). Nowadays this feature is not officially released, but you can test it building keycloak from source (branch: main).

On the other hand, here is article about Keycloak step-up authentication-for Web Apps and API with some findings, perhaps It would help you.

like image 38
Martin Besozzi Avatar answered Sep 19 '22 17:09

Martin Besozzi
Sign in to Comment

Related questions

Getting user keycloak Not Found exception
Running Wildfly Swarm with KeyCloak on docker image
Openidc with Keycloak error uthenticate(): request to the redirect_uri_path but there's no session state found, client

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!