I'm using Keycloak to implement the Webauthn authentication. Everything are working well. I just want to ask a question… Is it possible to allow only the fingerprint authentication method? I mean disable the usb key and any other options.
Thank you very much.
No, this is not possible as no known authenticators support the uvm extension which would be required for this.
Related
I have been able to leverage Keycloak's "Default Actions" section in "Authentication" to force new users to setup MFA via Google Authenticator.
However, I've only been able to make this required for all users or not even possible to turn on. I'm looking for a way to allow users to opt in to MFA via OTP if they would like during Sign Up.
I think you need to use the Authentication api, and specifically the one for extending the registration page/form.
See: https://www.keycloak.org/docs/latest/server_development/#modifying-extending-the-registration-form
I will give it a try tonight, and update my answer.
There is no default option out of the box to implement this authentication flow.
You can create a custom authentication flow with a step asking the user to do the MFA.
This can be made using a javascript authenticator (https://www.keycloak.org/docs/latest/server_development/#_script_providers) or a java service provider interface. https://www.keycloak.org/docs/latest/server_development/#_auth_spi
I'm implementing the Keycloak authentication with vertx. I would like to customize login flow, instead of username/password form I want to login via mobile number and OTP.
Any one can help me if they have created any custom required action provider in keycloak.
Thanks in advance.
I think this would be doable in Keycloak now with Authenticator SPI. Please have a look on this code you will get to know you can revamp full login flow without much issue .
Same can be rewrite for login from mobile number.
Please have a look this API keycloak-sms-authenticator,it will give much flexibility to do SMS based Authentication without writing much line of code.
Here is another good official documentation Custom User Attributes available how to use mobile number .
I'd like to allow untrusted clients to subscribe to MQTT and AMQP queues on ably.io.
Can I use one of the token authentication schemes described in https://www.ably.io/documentation/core-features/authentication#token-authentication somehow, or do I have to set up a separate API key for each client?
If the latter, can API keys be provisioned dynamically?
I went through the docs & help desk articles, but couldn't find anything regarding this combination. Is this just a missing feature or generally a bad idea on my part?
Thanks in advance
Short answer: Yes
Long answer: Token authentication can be used for authenticating all kinds of Ably clients. As an example, have a look at the MQTT docs on Ably's website and you'll find the authentication section that explains how to implement Token Auth with MQTT. As you just said, using Token Authentication is not only more secure but also gives you a way as an admin of the app to set up your own authentication server to carry out your custom authentication strategy.
Hope that helps!
P.S. I'm a Developer Advocate for Ably Realtime.
I need your help please.
I developed some REST services with .NET Web API.
These sevices must authenticate the clients with username and password.
The solution I find out in Internet is "Basic Authentication".
The BIG problem is that I can't use SSL for secure the comunication. I don't have HTTPS.
Using basic authentication without SSL is not a good solution.
I'm not able searching on Internet to find out a solution that can authenticate the clients over http using username and password.
Please can you help me?
Summarizing I need to authenticate the user in a Web.API using username and password. I can't use SSL. My comunication is on HTTP.
Thanks!!!
You could use the ASP.NET membership provider:
http://msdn.microsoft.com/en-us/library/yh26yfzy(v=vs.100).aspx
Basically - you can't do that.
Sure there are scheme that don't transfer credentials in clear text over the wire - but it is not only about the credentials. All the data is going over the wire in the clear as well, you have no authentication of the server, no confidentiality, no integrity protection, no replay protection etc…
If you don't care about all these features - why bother with (secure) authentication at all?
The only other common approach for username + password authentication I am aware of is digest access authentication. There is a blog here showing an example for WebApi.
This will give you some protection without SSL as it uses hashes; however, I wouldn't really advocate it until all the disadvantages of this approach a fully read and understood.
Without SSL, basic is not secure but digest is also not secure due to man-on-the-middle attacks. I would recommend you to use some public/private key based approaches like HMAC or encrypting as paul said with hash + salt.
What is the best/easiest way to authenticate a user from an iPhone client to a PHP/MySQL web-service? I have not set any authentication up and I want to keep track of the user so when I call my services it sends the username. I want to make sure this user is unique and if they lose their phone they will be able to re-download app and login with credentials.
This is very open ended question. Can you please provide some use cases that way we can help. If you are talking about Secure Authentication then just use HTTPS:
HTTPS was designed specifically to:
1)use encryption to defend against packet-sniffing
2)use certificates signed by an authority to defend against MITM