Authentication using mobile notification

Greetings everyone,

I got a unique requirement that I can’t even find on the whole internet, even chatgpt also gives up…

I want a custom authenticator on my Keycloak, that send a notification to my organization’s mobile app.

That notification will ask the mobile user’s consent.

Once mobile user click on the "approval* button the keycloak will automatically logged in.

If the user click on “Deny” button, it won’t allow to login.

What I have done is:

I am able to create a custom authenticator, by implementing the Authenticator and AuthenticationFactory interfaces, as described in the keycloak documentation.

When I click on my custom authenticator, the authenticator is sending notification to my mobile app.

But the problem here is:

From the mobile app where should I send the mobile user’s consent back?

Is there any way to do that?

Currently what I am doing is,

I have started a timer of 5 seconds that will start when my custom authenticator is clicked.

I have exposed a custom REST endpoint in keycloak, which takes the userconsent and store it in the hashmap.

I am checking user consent from the hashmap… if the user consent is allow in the map then I will allow to login otherwise not.

But timer approach is not good.

I need alternative and robust approach.

Thank you!

Hi,

Your use case are great. I don’t have much clue but I will look at CIBA and action token within keyclaok.

CIBA does the behind the scene authentication with timeout but doesn’t provide any autenticator.
I assume a action token could be used to validate the CIBA authentifcation. But still miss how to launch CIBA flow from an autenticator flow within keycloak.

From the mobile app where should I send the mobile user’s consent back?
I will use action token for that.

Regards