8:53 a.m.
Hi Marek and Thanks
But unfortunately I want archive your point B
I can understand that from security point of view the recommendation is to
use scenario A (and already tested enabling otp and using the freeOTP app
on mobile) but I must go with scenario B
I see some standard login modules available but seems not available the one
based on OTP
I hope someone already developed
Roberto
Il giorno mar 3 set 2019 alle 09:21 Marek Posolda <mposolda(a)redhat.com> ha
scritto:
I am not sure what exactly you want to achieve? Do you want:
a) SSO login, which means that your application will redirect to
Keycloak and the login forms will be displayed by Keycloak?
b) Or do you want your application to "display" the login forms?
The Keycloak is SSO, so it is highly recommended to use the use-case
(a). In that case, you need to change the "auth-method" to KEYCLOAK as
you pointed (in case that your application is deployed on Wildfly
server). It is recommended to try some Keycloak quickstarts. Once your
application redirects to Keycloak, you can just configure OTP
authenticator on the Keycloak side and you don't need to configure
anything more on your application side. The used authenticators and
authentication mechanisms will be completely controlled by Keycloak.
Marek
On 02. 09. 19 16:12, R M wrote:
> Hi
>
> According to the Security APP Documentation , I can provide an adapter
> config file in WAR and change the auth-method to KEYCLOAK within web.xml.
> Alternatively, I don’t have to modify WAR at all and I can secure it via
> the Keycloak adapter subsystem configuration in the configuration file,
> such as standalone.xml
>
> But my app have a FORM Login Authentication mechanism: in web.xml I have
so
>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name></realm-name>
> <form-login-config>
> <form-login-page>/Login.jsp</form-login-page>
> <form-error-page>/LoginError.jsp</form-error-page>
> </form-login-config>
> </login-config>
>
> and accoding to this the Login.jsp is submitting value to the
> "j_security_check"
>
> I want continue to use this but I want KEYCLOAK take control to check
> credentials (and manage the OTP)
>
> It is not clear (not able to found) if there is some "standard" adapater
or
> login module available and the "name" to give to the OTP field in the
login
> form
>
> e.g. using PicketBox
>
https://developer.jboss.org/wiki/OTPIntegrationWithJBossApplicationServer
>
> but now PicketLink and Keycloak projects are merged and I want to use a
> similar way using OTP and the Keycloak server
>
> So I'm looking for the Keycloak replacement of
JBossTimeBasedOTPLoginModule
> (and related setup)
>
> <login-module
> code="org.jboss.security.auth.spi.otp.JBossTimeBasedOTPLoginModule" />
>
>
> Do you have any idea?
> Thanks
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user