Yubikey and Keycloak integreation

Hi, fellow keycloakers!

We want to add 2FA support with Yubikey devices, but we don’t use the keycloak’s login flow, rather we use the admin rest API.

Our flow is:

  1. Create a new user with OTP (from the admin console)
  2. Send the user an email so he can configure his password and google-authenticator
  3. When a user is performing a login from our own website\application we are using the admin rest API ({{keycloak_url}}/realms/{{realm}}/protocol/openid-connect/token) and we send the userName, password, and the TOTP token.

This flow is fine and working as expected.

No, instead of the user working with google autehnticator we need that the user will use a Yubikey device

So a few questions:

  1. When creating a new user from the admin console (or admin API) - is it possible to configure this user to use Yubikey (I think its called webauth passwordless)

  2. if 1 Is possible, can we use the admin rest API to get an access token for this user? Do we need to generate an OTP from the Yubikey SDK and send it as well in the API ?

Any help, guide, or information would be appreciated

I’m not completely sure, because I never used or implemented webauthn or yubikey so far. But webauthn seems to rely on frontend redirections, so if you were to replicate what keycloak does you would need to dive quite deep into the internals.

In general it is discouraged to implement your own login masks. For that very reason… It’s hard to integrate things like OTP and webauthn seamlessly and securely. Keycloak already does all of that.

1 Like