We are using Keycloak v4.5.0.Final and configured OTP for all the users. Is it possible to generate backup codes (like how google does for their dual factor authentication) in case the user doesn't have the Google Authenticator handy?
Yes, but you will have to create your own implementation for OTP authenticator. In my company we customized default OTP authenticator and Configure OTP required action, so now after OTP initiation user will receive OTP recovery code, that will be stored in his attributes (e.g. Users -> john.doe -> Attributes). Then when user has to provide next OTP code, he also can hit "Lost device" link at OTP code form (we've also customized Keycloak themes) and provide recovery code, and reinstall OTP settings.
Keycloak customizing docs
Related
I am using Keycloak to authenticate a user for a Vaadin application. The Vaadin application creates its own user session after successful authentication with Keycloak. I need the user to be able to change the password and email address.
Now I do not quite understand how to implement it correctly. There is a user Keycloak console that has this kind of functionality. But, for example, when a user changes their email address, the user is not prompted to confirm that new email address until a new login. Should I disable the Keycloak user console and e.g. use the Keycloak REST API directly from the Vaadin app to perform email/password changes? Or should I keep using Keycloak's custom console and configure it there?
What is the proper way to deal with such things with Keycloak? In case of Keycloak API I'd really appreciate the examples of API calls which should I perform in order to change the user password and email.
I need to implement a login flow with KeyCloak where a user will be prompted to reauthenticate with an existing account (by email/password or via social IdP) after authentication with a non-existing socialĀ account OR choose to create a new KeyCloak account.
Something like on the picture below:
Is it possible to implement such a flow with KeyCloak?
It is possible that flow with regular Identity Providers feature in Keycloak
Overview Steps
detail information here
1. IDP URL
{keyclaok URL}/realms/{realm}/broker/{idp name}/endpoint
example:
http://localhost:8180/auth/realms/test/broker/stackoverflow/endpoint
2. Register Application at Social App
example: StackOverflow https://stackapps.com/
3. Get Client Information from Social App
example: StackOverflow
4. Set IDP at Keycloak
5. Test
5.1 Before add user
5.2 login by Social
5.3 Update user account (set password and e-mail)
5.4 check added user
5.5 Test added user login by username/password OR
Social Icon Click without credential
5.6 logged in test by both ways
5.7 Picked up e-mail from Facebook and detect e-mail already exists.
5.8 I select "Add to existing account" then filled out e-mail and password from Keycloak.
The authentication flows within Keycloak can be customized (virtually all of the flows can be customized or extended). I believe you'll need to implement a custom Authentication SPI (Service Provider Interface). This will be a JAR that you can add custom logic upon account creation.
Here's the Keycloak documentation for SPIs.
The realm in keycloak is configured with multiple IDPs like Azure, Okta, Google etc.
But username and password is something that is not needed.
In the browser Authentication flow if I disable Forms instead of "Alternative" the login page appears with "Invalid Username or Password"
Please note I want multiple IDPs buttons to appear in the login page without the Username and Password Login Form.
Not much is documented about this in keycloak documentation.
You can use a custom authentication provider to achieve your goal.
Instruct Keycloak to assign a specific user attribute to all users arriving from the IDP.
Build an authentication provider which checks for that user attribute and denies access.
Add the authentication provider to the Browser login flow.
Create new theme and adjust templates files to hide login fields and show a user-friendly error if the user fails step 2. Use theme only on relevant realm.
Further details here: https://groups.google.com/g/keycloak-user/c/N9cuqXIBrSA/m/sycLxTZbCAAJ
I want to use Keycloak to implement SSO but I noticed that there is no email OTP embedded in Keycloak. How do I sent OTP through email in Keycloak?
I want the OTP to be provided not only via GoogleAuthenticator or FreeOTP app but also via email.
Is it possible to do it with Keycloak?
Yes, it is possible, you need to new authenticator provider.
The Server Development part of the Keycloak reference documentation contains additional resources and examples for developing custom Keycloak extensions.
https://www.keycloak.org/docs/latest/server_development/index.html
or you can use this email 2fa otp keycloak provider
https://github.com/mesutpiskin/keycloak-2fa-email-authenticator
I'm a little confused with configuring alternative execution flows.
I currently have the follow configured.
Cookie <- Alternative
Username Password Form <- Required
TOTP Configured? <- Alternative
OTP Form <- Optional
No, SMS then <- Alternative
SMS Auth <- Optional
As you can guess, I want SMS auth to trigger if OTP is not configured for the user.
At the moment it seems that if OTP isn't configured, the OTP Form is skipped and authentication is successful and SMS is skipped. Is there a way to tell keycloak the if OTP is not configured then the 'TOTP Configured?' execution flow has failed, so the 'No, SMS then' execution flow is actioned?
(In the source code it looks like context.success() is called if OTP is not configured for the user.)
I'm using Keycloak 7.0.0
Thanks,
Stuart
Usually top level executions or sub-flow must be Alternative for browser flow (Cookie is enough for authentication in application if you are already passed Password && (OTP || SMS)). From my point of view flow should be like this:
Cookie -> Alternative
Forms (Sub-flow) -> Alternative
Password -> Required
2FA (Sub-flow) -> Required
OTP -> Alternative
SMS -> Alternative
So if we reach credentials verification stage: we MUST pass Password verification then we MUST pass one of 2FA authenticators (OTP or SMS). But SMS and OTP authenticators should be properly implemented (Possibly you will have to tune their source code. See keycloak src and Keycloak customization docs).