Team,
We are using Keycloak 11.0.2 for common Auth in a microservice architecture. One of our client requirement is app need to log-in using user-id and with SMS OTP (Twilio provider). Is there is any plugin available to cover this option in Keycloak?
Could you please share me the valid working plugin, documentation or any samples which are already developed on the requirement? (any relevant documentation)
We are using Java 11
Hi,
I have an example here, using AWS SNS as SMS provider: https://github.com/dasniko/keycloak-2fa-sms-authenticator
Using Twilio, you have to implement the SmsService interface for Twilio yourself, I don’t know the Twilio API. But the rest of the Keycloak authenticator you can use of course as a good starting point.
Docs for the authenticator are not ready yet, but it should be obvious from the code, hopefully.
Have a look at the repo!
Does it help?
Thanks for your quick response and help.
Since I am new to Keycloak implementation, could you please clarify me on below points
Also, I like to add this log-in flow to one of the clients in the realm.
You should read (and understand) the developer docs here: https://www.keycloak.org/docs/latest/server_development/index.html
After deploying the custom authenticator, you have to create a new authentication flow in admin UI to use this authenticator as an execution. In this flow/execution, you can (or have to, depends on your authenticator) configure the authenticator.
With my example, it’s not necessary to deploy an extra template, as it comes along with the resources of the authenticator jar. It’s suits the needs if you use a theme based on the base-template. If you have a completely different theme, you have to adjust the theme-resources from the authenticator and deploy it with your own extension or separately with your theme.
Please, read the docs first!!
@dasniko Hi thanks for the tutorial! However, tutorial only says how a user using a browser can talk with Keycloak; but in my case, I have an mobile app and users need to login using that (instead of a webpage).
Therefore, I wonder what should I do? Thanks for any suggestions!
Some time back we made an api to do auth not only with keycloak but also with google for different platforms ( including windows phone ). See this video of it in action using a demo application called shoot and share. The actual library you can find on github as well. It’s no longer maintained but you can maybe use it for inspiration.
Hi @dasniko / @edewit
I tried your 2fa SMS-based authentication example, which is working very fine.
But I want to use keycloak Apis with my other frontend app and I was not able to find anything any-way to use SMS-based OTP in keycloak API.
For reference Access Keycloak APIs using Two-Factor Authentication · Ultimate Security Professional Blog
In the above link for google-authenticator / free otp there is a provision of giving OTP in keycloak API with-param name TOTP.
Please suggest some way using which I can use SMS-based OTP in keycloak API.
Hello @khushminder270
I also tried 2fa SMS-based authentication example
create my custom SMS authentication flow and change my flow with browser
also, achieve browser-based SMS authentication
which is worked fine
but same way I want to use my custom SMS authentication flow API with my frontend Or Postman API
did you find any solution to this?
Hi @dasniko / @edewit,
I create 2fa SMS-based authentication browser flow
achieve SMS authentication but can’t get any way to access that login API with the postman
for reference :
Please suggest some way using which I can use SMS-based OTP in keycloak API using postman.
How should this work? How do you expect to get the challenge?
2FA with text messages is IMHO not a viable solution when using a (rest) api call, as you need a challenge flow, which you don’t have in a single request, usually.
Thanks for the Quick Response,
basically, i created browser flow for login with OTP
once I change the bindings from (authentication tab) browser flow to my Custom “browser with sms” which include two form user name and password and in the second page have SMS Authentication(sms-auth) validation form
once i fill user name and password it calls the generate OTP and Send OTP RestAPI and set the (code and ttl parameter) and redirect to the second code validation page once it verifies user redirect to the main dashboard page
using browser flow i can able to log in using my custom sms authentication flow
but when i try to fire “http://localhost:8180/auth/realms/master/login-actions/authenticate” API which is used for login in postman.
but as per keyclock documentation, i can’t able to fire this API in the postman
also, we use
http://localhost:8180/auth/realms/master/protocol/openid-connect/token to generate token and also for login
same way i have to apply my custom authentication flow which I apply in browser flow for login
so instead of token API, i want another login API which have my custom flow
I saw your video but it seems to me that there is no validation step of the phone number. A the first login I would have thought that the system would verify the phone number requesting you to enter a code sent. Unless it seems to me that there may be many users who are unable to log in. Isn’t it ?
I never pretended that the demo/example is fully functional and completed. If you have a look into the source code, you’ll see that there is a comment to do further phone number validation. Also it’s possible to add a required action to gather the phone number from the users. If this is needed, is highly dependent from the use case. In case the users are already provisioned with all the needed data, there’s no need for such step, in other cases perhaps yes.
It’s an EXAMPLE, to demonstrate things. It’s no ready to use extension. Use it on your own risk.
(If you want to have ready-to-use extension, which lots of functionality, we can talk about that. You’ll tell me your features, I’ll tell you what it costs for you having me implementing it.)