[keycloak-user] Directs Grants API & OTP

Stefan Schlesinger sts at ono.at
Wed Mar 1 06:12:58 EST 2017 

Hi Marek,

if I can follow you correctly, you are talking about configuring the OTP challenge
as an optional action during the authentication process of the Direct Grants API
flow.

This doesn’t help me with avoiding to unnecessarily prompt the user for a
2FA token, because it was never configured.

My Setup:

[Keycloak] - [Radius] - [NAS (VPN Gateway)] - [Client (VPN Client)]

IMO my Radius server, which is talking via the OpenID Connect Direct Grants API
to Keycloak, needs to determine whether a given user has a configured OTP
device, so I can decide in my Radius module whether to send an additional
Access-Challenge request to the NAS, which will trigger a 2FA input dialog at
the VPN client.

Radius is a session based protocol. A session consists of multiple corresponding
requests and responses between the Radius server the NAS, the flow is like this:

Client -> NAS: Login via Username=foo, Password=bar
NAS -> Radius: Access-Request (Username=foo, User-Password=bar)

Now I’d need to find out whether the user needs to be challenged via 2FA.
In case it was configured, we continue like this:

Radius -> NAS: Access-Challenge (Please provide OTP token.)
NAS -> Client: Please provide OTP Token.
Client -> NAS: TOTP=12345
NAS -> Radius: Access-Request (Username=foo, User-Password=12345)
Radius -> Keycloak: username=foo&password&totp=12345
Keycloak  -> Radius: 200 or 401
Radius -> NAS: Access-Accept or Access-Reject

Best,

Stefan.


> On 23 Feb 2017, at 13:55, Marek Posolda <mposolda at redhat.com> wrote:
> 
> Hmm.. I am looking at class ValidateOTP and there is initial call to check whether OTP is
> configured for the user. Once you have this authenticator OPTIONAL, it should work.
> Do you have this OPTIONAL? Are you using this or other authenticator?
> 
> Marek
> 
> On 23/02/17 11:54, Stefan Schlesinger wrote:
>> Hello,
>> 
>> I’m using the Direct Grants API as authentication backend for our Radius server.
>> 
>> Currently I’m unable to determine whether an user already has an OTP token configured or not,
>> and thus our Radius server always prompts the user with an Access-Challenge dialog.
>> 
>> Users who haven’t configured an OTP token yet won’t be able to login, or in case I can work
>> around this issue, will at least be presented with a question for an OTP token, which they
>> are not aware of.
>> 
>> Is there a way how I could improve this? Eg. an API call, which authenticated OpenIDC
>> clients can trigger?
>> 
>> Best,
>> 
>> Stefan.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
>

More information about the keycloak-user mailing list