cooperlyt
commented
1 year ago Do you test this code in 'Authentication Everybody By Phone' Action ?
Open mapidentity opened 1 year ago
cooperlyt
commented
1 year ago Do you test this code in 'Authentication Everybody By Phone' Action ?
mapidentity
commented
1 year ago Do you test this code in 'Authentication Everybody By Phone' Action ?
I don't think this currently works with this provider. For example;
curl 'keycloak/realms/app/sms/authentication-code?phoneNumber=%2B5534990001234'results in {"expires_in":60} but actually does not send a code. I believe this is because we can't distinguish between AUTH requests between these two providers / flows. A solution could be putting this behind an option (for example, --spi-phone-allow-sending-unknown or something like that). Better suggestions are very much welcome.
I've tested it with the registration flow, that does work.
mapidentity
commented
1 year ago @cooperlyt I'd like to move this forward to an acceptable pull request. Can you offer your thoughts on this matter?
This fixes an issue where the provider will send codes to any phonenumber given in the login screen. This is a potential abuse issue, since strangers should not receive (costly) messages. One exception is when allowing registration of new users.
Closes #47 (i think)