[keycloak-user] 2FA protection for a specific resource

[Malys]

Hi,
I want to protect a high-level risk feature with 2FA. Historically, we use 
2FA SMS. I want to propose the same feature but ideally,  I wish to be able
to integrate also native Keycloak OTP authenticator (more secure).
That' s why based on  keycloak-sms-authenticator-sns <http://
https://github.com/nickpack/keycloak-sms-authenticator-sns>  , I have
improved this authenticator ( here
<https://github.com/malys/keycloak-sms-authenticator-sns/tree/feature/LyraSMS> 
).

I have searched in Keycloak 3.4.3 documentation but using the same realm, I
haven't seen any feature to ask 2FA when the final user want to access to a
specific resource.
Role mechanism allows managing access (403 - 200) but it seems that it isn't
cover my use case.
I 'm not sure that UMA 2.0 could be offering this feature. Moreover, It
isn't yet implemented.
Level of assurance seems very well but it isn't yet implemented and it would
be difficult to do it.

I could include a servlet filter on the business application (JBoss adapter)
to route user to 2FA authenticator when he wants to access the resource.
But in this case, I have to propagate a state between Keycloak and Java
adapter to not ask 2FA code for each access.
It could be a little bit tricky in cluster mode (stateless service).

Below, I describe the use case.

<http://keycloak-user.88327.x6.nabble.com/file/t611/2FA_resource_access_management.png> 


Have you any idea to cover this use case easily based on native keycloak
features?
If that isn't the case, in your opinion, what is the best solution (see
above)? (easiest integration for maintainability, clustering support and 2FA
technic agnostic) 

Thank you for sharing your experience.



--
Sent from: http://keycloak-user.88327.x6.nabble.com/