search

mesutpiskin / keycloak-2fa-email-authenticator

🔒 Keycloak Authentication Provider implementation to get a two factor authentication with a OTP/code/token send via Email (through SMTP)
https://medium.com/@mesutpiskin/two-factor-authentication-via-email-in-keycloak-custom-auth-spi-935bbb3952a8
Apache License 2.0
158 stars 89 forks source link

Add user to wrong 2fa event and add support for brute force detection #18

Closed bader-tayeb closed 1 year ago

bader-tayeb commented 1 year ago

I followed the example in this file https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/authentication/authenticators/browser/OTPFormAuthenticator.java Namely

if (!valid) {
    context.getEvent().user(userModel)
            .error(Errors.INVALID_USER_CREDENTIALS);
    Response challengeResponse = challenge(context, Messages.INVALID_TOTP, Validation.FIELD_OTP_CODE);
    context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challengeResponse);
    return;
}

and

public class OTPFormAuthenticator extends AbstractUsernameFormAuthenticator

Now when 'Brute force detection' under 'Security defenses' is enabled, it'll work with email 2fa. Also when a user enters wrong 2fa, the event will include which user that happened to.