[keycloak-dev] TOTP setup

Bill Burke bburke at redhat.com
Mon Aug 19 07:47:49 EDT 2013


Great work.  Looking forward to using it.

On 8/19/2013 6:29 AM, Stian Thorgersen wrote:
> I've added support for configuring TOTP to the registration process. At the moment the way it works is if the realm has both password and totp as required credentials the user is required to configure totp during the registration. To validate that the user has configured TOTP correctly the user has to provide a valid authentication code in the registration form.
>
> This only covers the use case when TOTP is required by the realm. I think users should be able to enable TOTP even though it's not required by the realm. For example a bank would require TOTP, but a mail provider would let users choose what level of security they want themselves. Users should also be able to manage the TOTP settings for their account. For example to change the TOTP, or to remove (only if not required by realm).
>
> This ties in to having a proper place for users to manage their accounts. See https://github.com/keycloak/keycloak/wiki/User-Account-Management.
>
> To try this out yourself edit "examples/as7-eap-demo/server/src/main/resources/META-INF/testrealm.json" and change:
>
>      "requiredCredentials": [ "password" ],
>
> to
>
>      "requiredCredentials": [ "password", "totp" ],
>
> This enables totp for the demo realm used by customer-portal and product-portal. To enable it for the SaaS edit org.keycloak.example.demo.DemoApplication#install and add:
>
>      defaultRealm.addRequiredCredential(CredentialRepresentation.TOTP);
>
> The approach taken above is just to get something working quickly. I propose that we improve this to work like this:
>
> * When a user first registers there will be a checkbox to enable TOTP if the users wants to - if TOTP is required by the realm this checkbox will always be enabled (and the user won't be able to change it)
> * After clicking register the user is forwarded to the configure TOTP page (in user account management)
> * If a user doesn't complete the above form, or a user registered prior to totp being set as required for the realm, when a user tries to login the user is forwarded to the configure TOTP page
> * The TOTP page should list out the available TOTP providers (ATM only Google authenticator is supported) and show instructions for the user to configure it. A user should be required to enter a valid authenticator code to enable TOTP
>
> Later a user can view the TOTP settings for his account through the user account management. If totp is not required by the realm the user can also remove the totp. A user can always change the totp, again this required providing a valid authenticator code.
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list