Ello all,
I am wonder if there is a way to only require 2factor authentication when not come from a list of trusted IP networks? If they are on a trusted one, only require user/password.
Ello all,
I am wonder if there is a way to only require 2factor authentication when not come from a list of trusted IP networks? If they are on a trusted one, only require user/password.
Yes, with 2F services like Duo
What is the point of Keycloak then? Obviously Duo can do 2FA too. Duo can do local provider authentication (like LDAP) if you are relying on it to do login policy enforcement.
You would need to write a custom ConditionalAuthenticator
that checked to see if the user is coming from a âlist of trusted IP networksâ, and conditionally show a 2FA challenge if they are not. For more information on writing and installing custom authenticators, see this portion of the developer documentation: Server Developer Guide
Thanks for the info. Hopefully it is possible for me to write one. Iâll share it if I am successful.
Feel free to share issues here. There are lots of examples of extensions and ConditionalAuthenticator
implementations out there, and the use case youâre describing isnât complex.
Hello @hydrian, here is an old example of what I think youâre trying to achieve : GitHub - lukaszbudnik/keycloak-ip-authenticator: Simple Custom Java Keycloak Authenticator (you might need to adapt it a bit for recent keycloak versions, and check that its code is compliant for production because it is just a example for demonstration purpose)
This person (Lukas) has also published youtube video to illustrate his samples : https://www.youtube.com/watch?v=u36QK9oyrtM&ab_channel=ĆukaszBudnik
One of these examples âout thereâ is mine, the ConditionalCidrAuthenticator
which can be used to configure (multiple) CIDRs which are allowed or not:
Thanks all. Iâll start looking into these. These examples are really helpful because my Java programming skills are not the best.
So you might enjoy this video about keycloak extensions development best practices, provided by @dasniko : https://www.youtube.com/watch?v=1IhcQjdjbsI&ab_channel=NikoKöbler-ExpertforKeycloakIAM%26SSO
Thanks. That is useful.