9:54 a.m.
Dear all,
I need to implement the following use case.
My web application is authenticated against a given realm on keycloak,
using a simple user / password authentication model. But a part of my web
app would require a stronger authentication mechanism (a second factor in
fact) based on the current user.
What's the "best" solution using keycloak ? I was thinking of two different
solutions
1. add an attibute in my OIDC token that could be named "level", and having
an adapter that would check the level of the token, and if not
corresponding, redirect to the realm that would ask for the second factor
of authentication
2. Create a "2FA" realm,that would rely on the simple authentication
realm... but is it possible in the same web app (I mean, to use two realms)
Open to any ideas
Thanks
St
1:33 a.m.
We plan to add support for "acr" from OIDC specification. See
https://issues.jboss.org/browse/KEYCLOAK-3314 .
Until that, you can possibly use some workaround and add your own
authentication flow with authenticator implementations. For example
based on redirect_uri (which will be different for more "secure" part of
your application) you will allow (or not allow) cookie authentication
and for the more secure part, you will ensure that OTP authenticator is
used.
Marek
On 01/09/16 16:54, Steve Favez wrote:
Dear all,
I need to implement the following use case.
My web application is authenticated against a given realm on keycloak,
using a simple user / password authentication model. But a part of my
web app would require a stronger authentication mechanism (a second
factor in fact) based on the current user.
What's the "best" solution using keycloak ? I was thinking of two
different solutions
1. add an attibute in my OIDC token that could be named "level", and
having an adapter that would check the level of the token, and if not
corresponding, redirect to the realm that would ask for the second
factor of authentication
2. Create a "2FA" realm,that would rely on the simple authentication
realm... but is it possible in the same web app (I mean, to use two
realms)
Open to any ideas
Thanks
St
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3046
days inactive
3051
days old
1 comments
2 participants
participants (2)
-
Marek Posolda -
Steve Favez