2Factor usage only on untrusted networks

Ello all,

I am wonder if there is a way to only require 2factor authentication when not come from a list of trusted IP networks? If they are on a trusted one, only require user/password.

Yes, with 2F services like Duo

What is the point of Keycloak then? Obviously Duo can do 2FA too. Duo can do local provider authentication (like LDAP) if you are relying on it to do login policy enforcement.

You would need to write a custom ConditionalAuthenticator that checked to see if the user is coming from a “list of trusted IP networks”, and conditionally show a 2FA challenge if they are not. For more information on writing and installing custom authenticators, see this portion of the developer documentation: Server Developer Guide

1 Like

Thanks for the info. Hopefully it is possible for me to write one. I’ll share it if I am successful.

1 Like

Feel free to share issues here. There are lots of examples of extensions and ConditionalAuthenticator implementations out there, and the use case you’re describing isn’t complex.

Hello @hydrian, here is an old example of what I think you’re trying to achieve : GitHub - lukaszbudnik/keycloak-ip-authenticator: Simple Custom Java Keycloak Authenticator (you might need to adapt it a bit for recent keycloak versions, and check that its code is compliant for production because it is just a example for demonstration purpose)
This person (Lukas) has also published youtube video to illustrate his samples : https://www.youtube.com/watch?v=u36QK9oyrtM&ab_channel=ƁukaszBudnik

One of these examples “out there” is mine, the ConditionalCidrAuthenticator which can be used to configure (multiple) CIDRs which are allowed or not:

2 Likes

Thanks all. I’ll start looking into these. These examples are really helpful because my Java programming skills are not the best.

So you might enjoy this video about keycloak extensions development best practices, provided by @dasniko : https://www.youtube.com/watch?v=1IhcQjdjbsI&ab_channel=NikoKöbler-ExpertforKeycloakIAM%26SSO

1 Like

Thanks. That is useful.