[keycloak-dev] Decoupled channel authentication (Google Push Authn)

James Holland james.holland at outlook.com
Wed Jun 20 12:37:35 EDT 2018 

Hi,

I'm trying to work out how to add an authentication flow where the actual authentication is done in another channel.

Something like Google Push Authenticator, the IDP sends a push message that encodes a transaction, the app receives the push msg, decodes, and prompts the user to confirm (which signs the transaction). This signature is then sent to the IDP and thus allows access to the user in the original triggering channel. The only thing the user has to supply original triggering channel is a user identifier, no credentials.

I have all this work in a standalone solution but wish to add this to keycloak,

There are two OAuth2 related standards that support this model (but I could not find them on roadmap or feature requests): -
-  https://tools.ietf.org/html/draft-ietf-oauth-device-flow
-  http://openid.net/specs/openid-connect-modrna-client-initiated-backchannel-authentication-1_0.html

I'm struggling to understand the various KeyCloak SPI's and when they are invoked, what is the flow? Does there exist a sequence or collaboration diagram on how the SPIs interact?


So can anyone point me in the correct approach to this within KeyCloak, my current guess is:
1) Write an implementation of the Authentication SPI to send the push message and store the details of the transaction against the user record.
2) Create an endpoint to validate the authentication from the push app and update the stored transaction as complete (or could this be the existing OIDC endpoint but with a different Authentication SPI implementation to validate the TX)
3) Write some template pages/scripts that will poll against a new API to see if the transaction is complete, if it is it returns a Access &/or a Id token


For the initial version I'd expect to have the page/JS poll the API but eventually replace with websocket, the http session object subscribing to a message queue to be informed on the transaction is complete.

Sorry for the long message, but any guidance is very welcome. Obviously I intend to make it OSS.

Regards James

More information about the keycloak-dev mailing list