search

netzbegruenung / keycloak-mfa-plugins

Keycloak Authentication Provider implementation to get a 2nd-factor authentication with a OTP/code/token send via SMS
Apache License 2.0
42 stars 9 forks source link

App Authenticator implementation details #64

Closed melegiul closed 5 days ago

melegiul commented 1 year ago

Challenge Endpoint (Setup App Auth):

/realms/realm-id/login-actions/action-token?key=jwt&client_id=account-console&tab_id=someTabId

Setup Steps:

  1. The URL is transmitted to the device by QR-Code and contains a one-time JWT (in case the device is not authenticated).
  2. The mobile device is supposed to use this URL to transmit its device data.

Required additional query parameters:

device_id: firebase device's registration token
device_os: OS
public_key: base64 encoded public key (RSA)

Authentication Endpoint (basically the same endpoint):

/realms/realm-id/login-actions/action-token?key=jwt&client_id=account-console&tab_id=someTabId

Auth Steps:

  1. The URL + JWT is transmitted to the device by firebase. (In the backend both endpoint only differ in the supplied JWT and their token handler. The setup token and auth token both grant access to a single unique server side action)
  2. The mobile device is supposed to use this URL to solve the supplied challenge (see below).

Required additional query parameters:

secret: decrypted secret (see below)

The firebase message contains an encrypted secret (RSA), which the app is supposed to decrypt with their secret key and send the decrypted string back to keycloak for verification.

Open issues

How to make sure that the apps public key was not tampered during transmission. (solved, see: https://chatbegruenung.de/group/gruene-app-alle?msg=gYqrCfqTgunZexoEA)