The URL + JWT is transmitted to the device by firebase. (In the backend both endpoint only differ in the supplied JWT and their token handler. The setup token and auth token both grant access to a single unique server side action)
The mobile device is supposed to use this URL to solve the supplied challenge (see below).
Required additional query parameters:
secret: decrypted secret (see below)
The firebase message contains an encrypted secret (RSA), which the app is supposed to decrypt with their secret key and send the decrypted string back to keycloak for verification.
Challenge Endpoint (Setup App Auth):
/realms/realm-id/login-actions/action-token?key=jwt&client_id=account-console&tab_id=someTabId
Setup Steps:
Required additional query parameters:
Authentication Endpoint (basically the same endpoint):
/realms/realm-id/login-actions/action-token?key=jwt&client_id=account-console&tab_id=someTabId
Auth Steps:
Required additional query parameters:
The firebase message contains an encrypted secret (RSA), which the app is supposed to decrypt with their secret key and send the decrypted string back to keycloak for verification.
Open issues
How to make sure that the apps public key was not tampered during transmission. (solved, see: https://chatbegruenung.de/group/gruene-app-alle?msg=gYqrCfqTgunZexoEA)