Multiple security stages

Flaashed · March 29, 2021, 1:00pm

Hi, I’m quite new to keycloak, so please excuse my probably stupid question. Unfortunately I cannot figure how to properly configure keycloak to match the requirements.

I have an angular application that consists of multiple layers, for “public”, “authenticated” and “trusted” users. “Public” is accessible for everyone and does not need any authentication - this works since I just don’t request keycloak.

Authenticated should only request the user to sign up and have a password.
Trusted users must have a password and a verified phone number.

Now my problem:
I can only configure one flow independent of where I am on my application. Can I somehow specify a specific flow for each authenticate request or how do I configure this properly?

Thanks in advance

jangaraj · March 29, 2021, 2:09pm

It is not clear what “stage” means in your case. Let’s guess it’s an app route. So just apply proper guard/authorization for each app route. Implementation is really Angular based, so this is not a good forum for this question - quick idea angular-auth-oidc-client/guards.md at main · damienbod/angular-auth-oidc-client · GitHub

Flaashed · March 29, 2021, 2:23pm

I have an angular application - yes, so i have multiple routes, yes - let’s say the following:
/home (for public)
/account (for authenticated)
/buy (for trusted)

Right now I’m basically checking if a user is authenticated and if he’s not i redirect him to keycloak where he authenticates - so far so good.
My problem is that this redirect to keycloak has no context or similar. I only have one flow for keycloak, but I need one for just password authentication and one for password auth plus SMS auth.

I do not know how to configure keycloak to have multiple flows that can be used by redirection, controlled from the outside.

Flaashed · March 31, 2021, 12:19pm

bump - does noone have an idea?

tobiashaefner · April 2, 2021, 2:34am

You could use different realms for each route. In each realm you could use different authentication flow.

Cyben · April 2, 2021, 3:05pm

Maybe two different clients would be better than two different realm, there is an option in keycloak to make a specific flow per client (overriding the default one)

Flaashed · April 5, 2021, 7:07pm

@Cyben is it somehow possible to automatically switch between profiles depending on the url?

Cyben · April 5, 2021, 7:42pm

Didn’t quite understand you, what do you mean by profile?

By the way, take a look at this code:

Really simple one, what I have done there is I’m using the authorization code flow, but you could use something else,
But the main thing there, that maybe you should check out is in the backend
There is a public api endpoint so everyone could access it, and there is a protected one.
For the protected one there I made an option for only authentication, or for authorization by any claim.

So if we will take it to your situation,
You could try to make:

public route for everyone
protected for authenticated users
protected for authorized users (when you get their token check for example if they have the claim ‘trusted’ with the value ‘true’

Hope you got it.
And there is no need for different flows for this implementation.

By the way, maybe this is what you are looking for:

https://www.keycloak.org/docs/latest/server_admin/#conditions-in-conditional-flows

I’m not sure if it works, never tried it but sounds good.

Topic		Replies	Views
How to configure routes for authentication w keycloak, nodejs and UI5 Securing applications adapter-nodejs , authentication	0	501	September 8, 2021
What's the easiest way to navigate between auth. flows	0	311	November 15, 2021
Angular SPA and SSO with Keycloak with client's own login page Getting advice	1	1415	July 10, 2020
Perform 2FA on specific screens with keycloak Configuring the server authentication	1	328	December 13, 2022
Is Keycloak basically a SSO?	0	404	September 25, 2021

Multiple security stages

Related Topics