9:11 a.m.
<span style="font-family:arial,helvetica,sans-serif;
font-size:12px"></span>Hi,<br>
I want to protect a high-level risk feature with 2FA. Historically, we use<br>
2FA SMS. I want to propose the same feature but ideally, I wish to be
able<br>
to integrate also native Keycloak OTP authenticator (more secure).<br>
That' s why based on keycloak-sms-authenticator-sns
<http://<br>
<a
data-saferedirecturl="https://www.google.com/url?hl=en&q=htt...
href="https://github.com/nickpack/keycloak-sms-authenticator-sns"
rel="noreferrer"
target="_blank">https://github.com/nickpack/<wbr>keycl...
<div class="a3s aXjCH m162198d296a41d54"
id=":g7"><wbr>> , I have<br>
improved this authenticator ( here<br>
<<a
data-saferedirecturl="https://www.google.com/url?hl=en&q=htt...
href="https://github.com/malys/keycloak-sms-authenticator-sns/tree/f...
rel="noreferrer"
target="_blank">https://github.com/malys/<wbr>keycloak...
).<br>
<br>
I have searched in Keycloak 3.4.3 documentation but using the same realm, I<br>
haven't seen any feature to ask 2FA when the final user want to access to a<br>
specific resource.<br>
Role mechanism allows managing access (403 - 200) but it seems that it
isn't<br>
cover my use case.<br>
I 'm not sure that UMA 2.0 could be offering this feature. Moreover, It<br>
isn't yet implemented.<br>
Level of assurance seems very well but it isn't yet implemented and it
would<br>
be difficult to do it.<br>
<br>
I could include a servlet filter on the business application (JBoss adapter)<br>
to route user to 2FA authenticator when he wants to access the resource.<br>
But in this case, I have to propagate a state between Keycloak and Java<br>
adapter to not ask 2FA code for each access.<br>
It could be a little bit tricky in cluster mode (stateless service).<br>
<br>
Below, I describe the use case.<br>
<br>
<<a
data-saferedirecturl="https://www.google.com/url?hl=en&q=htt...
href="http://keycloak-user.88327.x6.nabble.com/file/t611/2FA_resourc...
rel="noreferrer"
target="_blank">http://keycloak-user.88327.<wbr>x6.nab...
<br>
<br>
Have you any idea to cover this use case easily based on native keycloak<br>
features?<br>
If that isn't the case, in your opinion, what is the best solution (see<br>
above)? (easiest integration for maintainability, clustering support and 2FA<br>
technic agnostic)<br>
<br>
Thank you for sharing your experience.</div>
![data-saferedirecturl="https://www.google.com/url?hl=en&q=htt...](http://data-saferedirecturl="https://www.google.com/url?hl=en&=&q=http%3A%2F%2Fkeycloak-user.88327.x6.nabble.com%2Ffile%2Ft611%2F2FA_resource_access_management.png&=&source=gmail&=&ust=1521123007477000&=&usg=AFQjCNFQESMQaXixA-IpalyoEdSx_v3P_w%22){kind=link}
![href="http://keycloak-user.88327.x6.nabble.com/file/t611/2FA_resourc...](http://href="http://keycloak-user.88327.x6.nabble.com/file/t611/2FA_resource_access_management.png%22){kind=link}
![target="_blank">http://keycloak-user.88327.<wbr>x6.nab...](http://target="_blank">http://keycloak-user.88327.%3Cwbr%3Ex6.nabble.com/file/t611/2FA_%3Cwbr%3Eresource_access_management.png%3C/a%3E%3Cwbr%3E%3E%3Cbr%3E){kind=link}
2479
days inactive
2479
days old
0 comments
1 participants
participants (1)
-
malys