KEYCLOAK - 2FA with SMS based OTP text messages | Niko Köbler (@dasniko) 

Thank you so much, Kamal! Also for your donation, this is really appreciated and shows me that not all my effort is worthless!! 👍

Thank you for your positive feedback. I mean the standalone/deployments folder, like also mentioned in the docs (www.keycloak.org/docs/latest/server_development/index.html#using-the-keycloak-deployer). If you deploy your own JAR, you can put the template and message files into this jar, in the structure like in my demo repository. Or/and, you can just add them to your custom theme, if you use one, and thus overwrite the original ones from the JAR.

If your cluster is setup properly, this will work. Additionally, sticky sessions on the load-balancer are recommended for Keycloak, so cluster communication overhead will be reduced.

@@dasniko Thank You For Your Attention.

As my examples are EXAMPLES, you'd better have a look into the source code instead of blindly fetching something and throwing it into a server... See github.com/dasniko/keycloak-2fa-sms-authenticator/blob/4205a6c2bb1bb687df966d2906c3d3bdf3a05df2/src/main/java/dasniko/keycloak/authenticator/SmsAuthenticator.java#L108

There are reasons that it's not available as a ready built extension.

Thanks. How you configure the AWS credentials is up to you. Set them as env vars or system properties and use the default provider chain from AWS. If you want to set and use the access key and secret access key in the provider config form, you‘ll have to extend the code accordingly.

​@@dasniko Thanks for your answer, does injecting access/secret key as environment variable on my docker compose will be enough ?

Yes, that way I‘m using it too

​@@dasniko Thank you very much Mr. Niko.

@@hatimchawki3995 can you tell how to add environment variable for using aws sns in local without any docker configuration . please give the detail of variable name and value . Thanks

www.keycloak.org/docs/latest/server_development/index.html

It‘s pretty the same. Instead of sending the SMS, you just have to send an email. Retrieve the email provider before and send the mail though the provider.

@@dasniko Thanks so much for the information, yes I have now used Keycloak features to send an email instead of SMS. Is there a way to make this configurable so that some users in the realm to use phone OTP (if they have one), and some to have email OTP? My current configuration "Browser with Email" binding would cause everyone on that same realm to require an email OTP, but we want this to be configurable - so some customers in the realm might have a phone OTP and some might have to use the email one.

You have 2 options: 1. Build the condition into the 2FA extension and decide upon some attributes or whatever if you send an SMS or an email 2. Build 2 2FA extensions, one for SMS, one for email, extend your AuthFlow in Keycloak to have a condition based on role or attribute

@@sheevaa2634 Hey ! Were you able to make modifications to use Email for authentication instead of sms? What changes were required? Which Keycloak version have you used? I am trying to do the same but running into few errors. I would really appreciate your help :)

Thank you. Registration steps are a bit different to implement (different interface). Also, registration "flow" just supports one form as default, there has to be done some (dirty hacks) unconventional workarounds to achieve a real flow with various/multiple forms in registration.

@@dasniko Aha I see. I was thinking to use a separate external page in JS for registration and our backend to use Keycloak REST API to do the registration. My understanding is that this is less secure than Keycloak own registration page. Is this true? Do you recommend this approach?

It's always less secure if there is another application dealing with the Keycloak Admin API and therefore this app needs some admin credentials, which can be misused, etc... So, I would say it's a tradeoff between various issues. I, for myself, would not go a detour if there is a direct and secure way to do something, even if it's causing some effort to do this. Security comes with a price. But how expensive is something compared to a data breach? Security must not be a tradeoff.

@@dasniko Thanks. I appreciate your time and effort.

@@dasniko Please I will really appreciate of you can do this 2FA for me. Kindly get back so we can discuss please

I'm facing the same issue. It looks like the option was removed

Not at all. When using OIDC, users are ALWAYS required to authenticate at the IdP, not via an API. That‘s highly insecure, considered harmful, is a man-in-the-middle scenario and stupid.

Did you know how to solve this problem? I also have the same problem.

You have to implement it on your own, depending on your desired behavior. There's no ootb!

That's not related in any way to Keycloak. Just set env vars in Docker like every other env var and access it from Java with System.envvar(...) Where's the problem?

that's really easy, I totally forgot it. Thanks

just google "AWS credentials java"

This would be highly insecure. Additionally, Keycloak does not know the users credentials in cleartext, so it can‘t send them to someone else. Doing something like that would be more than stupid!

@@dasniko All I wanted to do is being redirected to client applications from Account Console))) It turned out easy-pizzy.

@@dasniko Can you give me a council on how to hide some client apps from Account Console? I mean only showing clients that correspond to the user's role(s)...

It works pretty well, yes!

If your users "register" in another app, you can use the admin rest api to create the user in keycloak. The admin rest api is exactly the same thing the admin ui uses under the hodd.

@@dasniko I found this feature in the documentation, thank you, appreciate it. Keylock is embedded in the application that is responsible for registration. I think they can be considered separate. Did I understand correctly that before authorizing a user using OTP (my flow consists only of it, not 2FA) I should register him in keycloak via REST API and only then authorize him, trying to get a token?

If a user is not available (registered) in Keycloak, Keycloak can‘t authenticate the user. 😉 Another option may be to implement a User Storage SPI to use the user data from your application. This way you don‘t have register the user separately, as it is just availabe due to the SPI. Look for this in the „Server developer docs“ of Keycloak.

Side note: I don‘t have experienxce with Keycloak running embedded in another application environment, as this is not officially supported. But I would also assume that despite it is embedded, it‘s a separate app.

​@@dasniko Thanks for the answer! It helped me a lot, but there were also new questions. I feel awkward, because this platform is not intended for detailed questions, but I'm not sure if I can get an answer on other sites. I would be glad if you could answer my questions. Also, if it is more convenient, then I am ready to post the questions somewhere else in accordance with all the rules. Since my last post, I've got a little better understanding of how the SPI Authenticator works and if I understood correctly, it is good practice to run all the authorization logic in Keycloak. In your example, Keycloak sends SMS and validates the code entered by the user through adapter classes for a specific SMS operator. After that, the user is considered authorized and an access token is returned to him. But in my application, entering the code is either authorization or the first stage of registering a new user if the user has not yet been registered in our application. Accordingly, at this stage it may not be necessary to obtain an authorization token. At the same time, Keycloak is responsible for working with OTP. Can keycloak handle such cases? Can I issue or not issue a token depending on the situation? Can a token be issued to a user "delayed" only after the registration procedure is completed? Moving on to the issue of registering Keycloak users, I suspected that Keycloak provides the necessary interfaces for the implementation of user providers, but then I could not find it. Thank you for pointing the right way. And from the moment I received your answer, I started to implement User Storage SPI little by little, but I ran into a problem that I need to implement the isValid method from CredentialInputValidator. With the password, everything is quite clear, we compare two passwords (or two hashes, which is more likely in a real application) and return the result. But what should we do in the case of OTP and is it generally necessary to implement this interface if we do not store information about passwords?

Technically, nearly everything is possible. But IMHO it doesn‘t make sense to use something like 2fa with direct grant flow, which additionally is also one of the most insecure auth flows of all available.

@@dasniko We have the requirement to implement this with direct grant flow only, Can you suggest the most efficient way to do it?

@@sagarpoudel139 Hey, did you find it out?

​@@sagarpoudel139Direct grant is only for test/learning. Use client credential flow.

Please consult the official documentation: www.keycloak.org/docs/latest/server_development/index.html#registering-provider-implementations

yes

Then your user doesn't have the attribute "mobile_number" set. github.com/dasniko/keycloak-2fa-sms-authenticator/blob/251d8c9ed04befa25d659603bbc7f548ba979dc0/src/main/java/dasniko/keycloak/authenticator/SmsAuthenticator.java#L103

I fixed and it's worked. Thank you very much!

well, then just do it!

@@dasniko Means can we do this password update? will Account console allow for OTP in password update?

Well, in that case my videos are just not for you. 🤷‍♂️ It's my style and everything important is visible or in the description linked. Also, hopefully people are not just copy&pasting things they see, but will also think about it and make own assumptions and tests.