[keycloak-user] 2FA protection for a specific resource

malys malys at mageos.com
Wed Mar 14 10:11:47 EDT 2018 

<span style="font-family:arial,helvetica,sans-serif; font-size:12px">‌</span>Hi,<br>
I want to protect a high-level risk feature with 2FA. Historically, we use<br>
2FA SMS. I want to propose the same feature but ideally,&nbsp; I wish to be able<br>
to integrate also native Keycloak OTP authenticator (more secure).<br>
That' s why based on&nbsp; keycloak-sms-authenticator-sns &lt;http://<br>
<a data-saferedirecturl="https://www.google.com/url?hl=en&amp;q=https://github.com/nickpack/keycloak-sms-authenticator-sns&amp;source=gmail&amp;ust=1521123007476000&amp;usg=AFQjCNGmXZ909C70P4D0JyMfos4TWe9pag" href="https://github.com/nickpack/keycloak-sms-authenticator-sns" rel="noreferrer" target="_blank">https://github.com/nickpack/<wbr>keycloak-sms-authenticator-sns</a>

<div class="a3s aXjCH m162198d296a41d54" id=":g7"><wbr>&gt;&nbsp; , I have<br>
improved this authenticator ( here<br>
&lt;<a data-saferedirecturl="https://www.google.com/url?hl=en&amp;q=https://github.com/malys/keycloak-sms-authenticator-sns/tree/feature/LyraSMS&amp;source=gmail&amp;ust=1521123007476000&amp;usg=AFQjCNFvROmCtI16SRXlZzJ21VL9tToXfw" href="https://github.com/malys/keycloak-sms-authenticator-sns/tree/feature/LyraSMS" rel="noreferrer" target="_blank">https://github.com/malys/<wbr>keycloak-sms-authenticator-<wbr>sns/tree/feature/LyraSMS</a>&gt;<br>
).<br>
<br>
I have searched in Keycloak 3.4.3 documentation but using the same realm, I<br>
haven't seen any feature to ask 2FA when the final user want to access to a<br>
specific resource.<br>
Role mechanism allows managing access (403 - 200) but it seems that it isn't<br>
cover my use case.<br>
I 'm not sure that UMA 2.0 could be offering this feature. Moreover, It<br>
isn't yet implemented.<br>
Level of assurance seems very well but it isn't yet implemented and it would<br>
be difficult to do it.<br>
<br>
I could include a servlet filter on the business application (JBoss adapter)<br>
to route user to 2FA authenticator when he wants to access the resource.<br>
But in this case, I have to propagate a state between Keycloak and Java<br>
adapter to not ask 2FA code for each access.<br>
It could be a little bit tricky in cluster mode (stateless service).<br>
<br>
Below, I describe the use case.<br>
<br>
&lt;<a data-saferedirecturl="https://www.google.com/url?hl=en&amp;q=http://keycloak-user.88327.x6.nabble.com/file/t611/2FA_resource_access_management.png&amp;source=gmail&amp;ust=1521123007477000&amp;usg=AFQjCNFQESMQaXixA-IpalyoEdSx_v3P_w" href="http://keycloak-user.88327.x6.nabble.com/file/t611/2FA_resource_access_management.png" rel="noreferrer" target="_blank">http://keycloak-user.88327.<wbr>x6.nabble.com/file/t611/2FA_<wbr>resource_access_management.png</a><wbr>&gt;<br>
<br>
<br>
Have you any idea to cover this use case easily based on native keycloak<br>
features?<br>
If that isn't the case, in your opinion, what is the best solution (see<br>
above)? (easiest integration for maintainability, clustering support and 2FA<br>
technic agnostic)<br>
<br>
Thank you for sharing your experience.</div>

More information about the keycloak-user mailing list