How to work with REST API for registering/signing-in users using phone/OTP from another web page?

Tips and tricks
,
1

Phone/OTP login is very popular. Yet when we asked the Keycloak team to provide it out of the box, they refused, claiming that it is not secure because of some attacks like operator swapping.

However, we still need this, because some customers want it. This is the scenario:

  1. We create a phone/OTP form outside Keycloak (since we are not Java developers and we have failed for a couple of reasons to extend it)
  2. The user comes in. Enters his phone number. Either he exists, or he is a new user. We create an OTP and send it to the user. Yet what should we do in this part with Keycloak?
  3. The user receives the OTP and enters it. We now want to sign in the user and get the OIDC JWT. How should we use REST API for this purpose?

I know that we can use REST API if we have username/password as below:

curl -X POST 'http://keycloak.example.com/auth/realms/your_realm/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=your_client_id' \
--data-urlencode 'client_secret=your_client_secret' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=your_username' \
--data-urlencode 'password=your_password'

But in this case, we do not have the password. In other words, we do the authentication part, and we want to ask Keycloak to give us a token for this username without a password.

2

Hi,

There are some possibilities to implement a secure login for human end users directly in Keycloak.
First, always use a web based OIDC or SAML redirect from your app using system standard browser, then authenticate at Keycloak by
(1) Username + (strong!) password + MFA, or
(2) Username + Webauthn (FIDO2, Passkeys, …), or
(3) use a web based OIDC or SAML redirect to a third party IdP which itself is using (1), (2) or (3)

Keylcoak has a user registration option, user self service account console, both are customizable (ok, modifying the user account console is painful), you can even implement your own user account console, there’s an OAuth-secured end user API for that. So there’s everything you need, it’s recommended to use that instead of implementing your own login stuff.

Almost every online banking system kicked SMS-based TANs due to security reasons already years ago.
And sorry, “because some customers want it” is not really a valid argument to do security nonsense.

2 Likes
4

@mbonn, please look at Ory. And also Here

5

There is GitHub - p2-inc/keycloak-magic-link: Magic Link Authentication for Keycloak for an email based login flow.

6

Keycloak is, like most other IdPs also, an opinionated implementation of an OIDC provider.
Just because one provider does offer something, that doesn’t mean that
a) Keycloak must/should do also the same and
b) the offered feature is legit/secure/proper

If Keycloak doesn’t offer some desired features ootb, most of the time, there’s a reason for it. But everyone is free to extend Keycloak with the provided SPIs. They are here to get used.

And, just like @mbonn wrote, “because some customers want it” is not a legit requirement for security. Most of the customers don’t know about security and it’s in our all responsibility to teach them the proper things, and not just implement what they want because they’re throwing money at you.

2 Likes
7

I agree with dasniko and mbonn.
Nevertheless, OTP login is still used everywhere. Luckily, nowadays we can offer more secure passwordless alternatives. However, for some business units and use cases, relying on this authentication mechanism is common, and it’s also common to conduct risk analysis to implement MFA in certain scenarios to mitigate the risks stated earlier.
But, again, agreeing with dasniko in relation to SPIs, it’s frequent that you end up customizing Keycloak. Therefore, find some time to learn Java + IAM :grinning: