[keycloak-user] JBoss EAP/WildFly Adapter - JAAS Login Module for OTP

R M robdtx99 at gmail.com
Tue Sep 3 09:53:39 EDT 2019 

Hi Marek and Thanks
But unfortunately I want archive your point B

I can understand that from security point of view the recommendation is to
use scenario A (and already tested enabling otp and using the freeOTP app
on mobile) but I must go with scenario B
I see some standard login modules available but seems not available the one
based on OTP

I hope someone already developed

Roberto

Il giorno mar 3 set 2019 alle 09:21 Marek Posolda <mposolda at redhat.com> ha
scritto:

> I am not sure what exactly you want to achieve? Do you want:
> a) SSO login, which means that your application will redirect to
> Keycloak and the login forms will be displayed by Keycloak?
> b) Or do you want your application to "display" the login forms?
>
> The Keycloak is SSO, so it is highly recommended to use the use-case
> (a). In that case, you need to change the "auth-method" to KEYCLOAK as
> you pointed (in case that your application is deployed on Wildfly
> server). It is recommended to try some Keycloak quickstarts. Once your
> application redirects to Keycloak, you can just configure OTP
> authenticator on the Keycloak side and you don't need to configure
> anything more on your application side. The used authenticators and
> authentication mechanisms will be completely controlled by Keycloak.
>
> Marek
>
> On 02. 09. 19 16:12, R M wrote:
> > Hi
> >
> > According to the Security APP Documentation , I can provide an adapter
> > config file in WAR and change the auth-method to KEYCLOAK within web.xml.
> > Alternatively, I don’t have to modify  WAR at all and I can secure it via
> > the Keycloak adapter subsystem configuration in the configuration file,
> > such as standalone.xml
> >
> > But my app have a FORM Login Authentication mechanism: in web.xml I have
> so
> >
> >    <login-config>
> >      <auth-method>FORM</auth-method>
> >      <realm-name></realm-name>
> >      <form-login-config>
> >        <form-login-page>/Login.jsp</form-login-page>
> >        <form-error-page>/LoginError.jsp</form-error-page>
> >      </form-login-config>
> >    </login-config>
> >
> > and accoding to this the Login.jsp is submitting value to the
> > "j_security_check"
> >
> > I want continue to use this but I want KEYCLOAK take control to check
> > credentials (and manage the OTP)
> >
> > It is not clear (not able to found) if there is some "standard" adapater
> or
> > login module available and the "name" to give to the OTP field in the
> login
> > form
> >
> > e.g. using PicketBox
> >
> https://developer.jboss.org/wiki/OTPIntegrationWithJBossApplicationServer
> >
> > but now PicketLink and Keycloak projects are merged and I want to use a
> > similar way using OTP and the Keycloak server
> >
> > So I'm looking for the Keycloak replacement of
> JBossTimeBasedOTPLoginModule
> > (and related setup)
> >
> >   <login-module
> > code="org.jboss.security.auth.spi.otp.JBossTimeBasedOTPLoginModule" />
> >
> >
> > Do you have any idea?
> > Thanks
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

More information about the keycloak-user mailing list