[keycloak-user] JBoss EAP/WildFly Adapter - JAAS Login Module for OTP

Marek Posolda mposolda at redhat.com
Tue Sep 3 11:02:30 EDT 2019 

Yes, there is no login module for OTP. The Keycloak has 
DirectAccessGrantsLoginModule class, which has support for username and 
password only and it is using Direct Grant (OAuth2 Resource Owner 
Password Credential Grant) under the covers. You may need to create your 
own login module similar to that one, which will add also the parameter 
"totp" - you can look at Keycloak class ValidateOTP for the details.

Alternatively, you can avoid servlet security entirely and somehow 
manage security in your web application by yourself (manually creating 
all the forms etc) and you can manually send Direct Grant request 
(OAuth2 Resource Owner Password Credentials request) including "totp" 
parameter.

TBH both options are not trivial and I will really try to avoid them and 
go for the option (a). Among the mentioned complications of option (b), 
it has lots of other advantages.

Marek

On 03. 09. 19 15:53, R M wrote:
> Hi Marek and Thanks
> But unfortunately I want archive your point B
>
> I can understand that from security point of view the recommendation 
> is to use scenario A (and already tested enabling otp and using the 
> freeOTP app on mobile) but I must go with scenario B
> I see some standard login modules available but seems not available 
> the one based on OTP
>
> I hope someone already developed
>
> Roberto
>
> Il giorno mar 3 set 2019 alle 09:21 Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> ha scritto:
>
>     I am not sure what exactly you want to achieve? Do you want:
>     a) SSO login, which means that your application will redirect to
>     Keycloak and the login forms will be displayed by Keycloak?
>     b) Or do you want your application to "display" the login forms?
>
>     The Keycloak is SSO, so it is highly recommended to use the use-case
>     (a). In that case, you need to change the "auth-method" to
>     KEYCLOAK as
>     you pointed (in case that your application is deployed on Wildfly
>     server). It is recommended to try some Keycloak quickstarts. Once
>     your
>     application redirects to Keycloak, you can just configure OTP
>     authenticator on the Keycloak side and you don't need to configure
>     anything more on your application side. The used authenticators and
>     authentication mechanisms will be completely controlled by Keycloak.
>
>     Marek
>
>     On 02. 09. 19 16:12, R M wrote:
>     > Hi
>     >
>     > According to the Security APP Documentation , I can provide an
>     adapter
>     > config file in WAR and change the auth-method to KEYCLOAK within
>     web.xml.
>     > Alternatively, I don’t have to modify  WAR at all and I can
>     secure it via
>     > the Keycloak adapter subsystem configuration in the
>     configuration file,
>     > such as standalone.xml
>     >
>     > But my app have a FORM Login Authentication mechanism: in
>     web.xml I have so
>     >
>     >    <login-config>
>     >      <auth-method>FORM</auth-method>
>     >      <realm-name></realm-name>
>     >      <form-login-config>
>     > <form-login-page>/Login.jsp</form-login-page>
>     > <form-error-page>/LoginError.jsp</form-error-page>
>     >      </form-login-config>
>     >    </login-config>
>     >
>     > and accoding to this the Login.jsp is submitting value to the
>     > "j_security_check"
>     >
>     > I want continue to use this but I want KEYCLOAK take control to
>     check
>     > credentials (and manage the OTP)
>     >
>     > It is not clear (not able to found) if there is some "standard"
>     adapater or
>     > login module available and the "name" to give to the OTP field
>     in the login
>     > form
>     >
>     > e.g. using PicketBox
>     >
>     https://developer.jboss.org/wiki/OTPIntegrationWithJBossApplicationServer
>     >
>     > but now PicketLink and Keycloak projects are merged and I want
>     to use a
>     > similar way using OTP and the Keycloak server
>     >
>     > So I'm looking for the Keycloak replacement of
>     JBossTimeBasedOTPLoginModule
>     > (and related setup)
>     >
>     >   <login-module
>     >
>     code="org.jboss.security.auth.spi.otp.JBossTimeBasedOTPLoginModule" />
>     >
>     >
>     > Do you have any idea?
>     > Thanks
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

More information about the keycloak-user mailing list