1:42 a.m.
Hello,
What would it actually mean to swap LoginFormsProvider?
Would it be enough to drop own extension to standalone/deployments (+ some change in
standalone-ha.xml)?
Best regards,
Lukasz Lech
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Lukasz Dywicki
Sent: Samstag, 15. Juni 2019 08:32
To: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Adding 2FA with SMS
Introduction of extra steps for login/registration is entirely possible. However, there is
a need to swap (extend) LoginFormsProvider, add new FormAction and Authenticator as well,
and yes - template too.
There is close relation between these parts when it comes to processing login and
registration flows.
You don’t need to modify directly any Keycloak code, it is sufficient to extend existing
classes. You can use User attributes to store additional data about mobile number. It is
mechanism made for that.
Extension you linked is nice example of additional credential type which is a proper way
from design point of view, but absolutely not necessary to start having sms code verifier.
In the end such verifier is a simple bearer to fail authentication.
Cheers,
Łukasz Dywicki
--
Code-House
http://code-house.org
On 14 Jun 2019, at 12:07, Lukasz Lech <l.lech(a)ringler.ch>
wrote:
Hello,
I'm analysing the requirement for adding 2FA with SMS to keycloak.
There is a ready project
https://github.com/UKGovernmentBEIS/keycloak-sms-authenticator-sns and to activate this,
you need to modify authentication browser flow.
This look quite cheaply made. First, SMS is always sent, but validated only if you set
SMS validation to REQUIRED, second, you give your mobile number, and if it is wrong, you
must call support to change that for you.
The correct way would be to make it analog to TOTP. A separate screen when you give your
mobile number, and then give the validation code, and only then your mobile phone will be
saved.
Could you please give me a hint, if adding second 2FA this way could be made via plug-in,
so, by writing provider(s), changing themes and editing flows in administration, or it
would require some changes to keycloak core code?
Were there any attemtps for writing alternative 2FA plugins working similar way as TOTP
is working now?
Best regards,
Lukasz Lech
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user