Great work. Looking forward to using it.
On 8/19/2013 6:29 AM, Stian Thorgersen wrote:
I've added support for configuring TOTP to the registration
process. At the moment the way it works is if the realm has both password and totp as
required credentials the user is required to configure totp during the registration. To
validate that the user has configured TOTP correctly the user has to provide a valid
authentication code in the registration form.
This only covers the use case when TOTP is required by the realm. I think users should be
able to enable TOTP even though it's not required by the realm. For example a bank
would require TOTP, but a mail provider would let users choose what level of security they
want themselves. Users should also be able to manage the TOTP settings for their account.
For example to change the TOTP, or to remove (only if not required by realm).
This ties in to having a proper place for users to manage their accounts. See
https://github.com/keycloak/keycloak/wiki/User-Account-Management.
To try this out yourself edit
"examples/as7-eap-demo/server/src/main/resources/META-INF/testrealm.json" and
change:
"requiredCredentials": [ "password" ],
to
"requiredCredentials": [ "password", "totp" ],
This enables totp for the demo realm used by customer-portal and product-portal. To
enable it for the SaaS edit org.keycloak.example.demo.DemoApplication#install and add:
defaultRealm.addRequiredCredential(CredentialRepresentation.TOTP);
The approach taken above is just to get something working quickly. I propose that we
improve this to work like this:
* When a user first registers there will be a checkbox to enable TOTP if the users wants
to - if TOTP is required by the realm this checkbox will always be enabled (and the user
won't be able to change it)
* After clicking register the user is forwarded to the configure TOTP page (in user
account management)
* If a user doesn't complete the above form, or a user registered prior to totp being
set as required for the realm, when a user tries to login the user is forwarded to the
configure TOTP page
* The TOTP page should list out the available TOTP providers (ATM only Google
authenticator is supported) and show instructions for the user to configure it. A user
should be required to enter a valid authenticator code to enable TOTP
Later a user can view the TOTP settings for his account through the user account
management. If totp is not required by the realm the user can also remove the totp. A user
can always change the totp, again this required providing a valid authenticator code.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev