Hi Federico,
If these devices are authenticating through a browser and User-Agent is
set, you'll have different entries for each device, even though they have
the same IP. It is not only based on IP but the OS information gathered
from the User-Agent header.
However, if you are not doing code grant through a browser, we should
probably allow devices to push a fingerprint. Right now, the functionality
is based on User-Agent, so if your devices are able to set this header you
should have specific entries for each.
On Fri, Aug 2, 2019 at 4:24 AM Federico Michele Facca <
federico.facca(a)martel-innovate.com> wrote:
Hi Pedro,
Nice feature but why considering request from same ip as from the same
device?
If you are using a fixed connection with several devices using it, then it
may be easily the case that different devices have been used.
Cheers,
Federico
*Dr. FEDERICO MICHELE FACCA*
*CTO*
0041 78 807 58 38
*Martel Innovate* <
https://www.martel-innovate.com/> - Professional
support for innovation projects
Click to download our innovators' insights!
<
https://www.martel-innovate.com/premium-content/>
Follow Us on Twitter <
https://twitter.com/Martel_Innovate>
Il giorno 1 ago 2019, alle ore 23:16, Pedro Igor Silva <psilva(a)redhat.com>
ha scritto:
Hi All,
I apologize for the long email :)
The new account console should provide a nice feature (see attachment) to
help users to track their devices activity. I think the main goal is not to
be 100% accurate (mainly because device identification is not an easy task)
but let users know about:
* The devices the user is using to authenticate
* Suspicious behavior either from devices that are not known or based on
the last time a device was used to authenticate
I would like to share what I've done so far and what the next steps could
be. I've submitted a WIP [1] that basically relies on the User-Agent header
to obtain info about devices.
Device identification is based on the OS and Device (if available from user
agent), where requests from the same IP are considered as being from the
same device. If the IP is different, we check session id, if it is the
same, the request is from the same device. If you use a different browser
you also have that grouped and available as a list from the device
representation. It is worth mentioning that device management is only
performed when a session is created in Keycloak, or it is used when
processing a request. One thing to consider is that if running behind a
proxy, Keycloak should be able to obtain the original client address from a
header.
By using the device/client IP as an identifier, I'm also trying to avoid
creating a new device if the session is still active. If so, we assume that
the request comes from the same device and we just update that info, so
that subsequent requests will match by IP.
However, if the session ends and the IP changes, a new device will be
created (if the device session was not updated). To overcome that, I think
we could:
* Support a specific cookie to identify devices (UUID)
* Allow clients connecting to Keycloak to provide a device fingerprint
(sent as a header, for instance), with restrictions on which clients can do
that
* Geolocation
* Anything else?
The first two options are useful depending on the client.
For browsers, cookies are more natural. Yes, users can clear browser data.
but in the worst case, he will get a new device entry and we'll show that.
Still, a good option IMO.
Device fingerprint may be useful for mobile apps or other types of clients
that are capable of providing a unique and trustworthy identifier. It can
be used for browsers too, but I think this implies more privacy/security
concerns.
Regarding the third one above (geolocation), I'll skip for now as we can
live without it in a first version of the feature. Although it would enrich
even more the functionality as well as the discussions happening around MFA
and adaptive authentication.
Data purging is another concern. Right now we don't have anything at this
regards, but I would like to expire entries based on the last time they
were accessed. Or maybe this something we should just keep and admins
should be responsible for purging data as it may imply privacy and security
concerns that are specific to a particular use case.
For last, I think we should probably have a switch for this feature. So
admins can enable/disable it accordingly with their needs. Not sure if this
kind of stuff makes always sense.
[1]
https://github.com/keycloak/keycloak/pull/6217
<DeviceActivity.png>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev