[keycloak-dev] Conditional OTP Authentication based on HTTP header or Role
Bill Burke
bburke at redhat.com
Mon Jan 11 12:39:00 EST 2016
Thats cool! Thanks. Something we've been wanting to add. If you want
to submit a PR we would welcome it.
On 1/11/2016 9:58 AM, Thomas Darimont wrote:
> Hello,
>
> since this was requested multiple times, I implemented a custom OTP
> Authenticator
> that can conditionally show the OTP form over the weekend.
>
> You can find more details in the following JIRA issue:
> https://issues.jboss.org/browse/KEYCLOAK-2040
>
> I build something along the lines based on keycloak 1.8 (already
> adapted this for Keycloak 1.7) which allows you to conditionally
> require OTP authentication - I can contribute that if desired.
> The solution consists of a custom ConditionalOtpFormAuthenticator that
> extends the OTPFormAuthenticator which can be configured with some
> conditions via the admin interface.
> The decision for whether or not to require OTP authentication can be
> made based on multiple conditions which are evaluated in the following
> order. The first matching condition determines the outcome.
> The list of supported conditions include:
> - User Attribute
> - Role
> - Request Header
> - Configured Default
> If no condition matches, the ConditionalOtpFormAuthenticator fallback
> is to require OTP authentication.
>
> User Attribute:
> A User Attribute like otp_auth can be used to control OTP
> authentication on individual user level. The supported values are skip
> and force. If the value is set to skip then the OTP auth is skipped
> for the user, otherwise if the value is force then the OTP auth is
> enforced. The setting is ignored for any other value.
>
> Role:
> A role can be used to control the OTP authentication. If the user has
> the specified role the OTP authentication is forced. Otherwise if no
> role is selected the setting is ignored.
>
> Request Header:
> Request Headers are matched via regex Patterns and can be specified as
> a whitelist and blacklist. No OTP for Header specifies the pattern for
> which OTP authentication is not required. This can be used to specify
> trusted networks, e.g. via: X-Forwarded-Host: (1.2.3.4|1.2.3.5) where
> The IPs 1.2.3.4, 1.2.3.5 denote trusted machines. Force OTP for Header
> specifies the pattern for which OTP authentication is required.
> Whitelist entries take precedence before blacklist entries.
>
> Configured Default:
> A default fall-though behavior can be specified to handle cases where
> all previous conditions did not lead to a conclusion. An OTP
> authentication is required in case no default is configured.
>
> The code can be found here
> https://github.com/thomasdarimont/keycloak/tree/issue/KEYCLOAK-2040-Conditional-OTP-Authentication
> - I can make a PR if this has a chance to get in.
>
> Cheers
> Thomas
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160111/db78603b/attachment.html
More information about the keycloak-dev
mailing list