Add option to use HTTP GET for SMS API

netzbegruenung / keycloak-mfa-plugins

Keycloak plugins for MFA (enforce MFA, SMS authentication step, native app integration)

Apache License 2.0

71 stars 21 forks source link

Add option to use HTTP GET for SMS API #67

Closed JBBERLIN77 closed 2 months ago

JBBERLIN77 commented 8 months ago

Try using the 2FA SMS in conjunction with a local hardware SMSEagle device. And actually I have gotten countless webhooks or SMSEagle API applications to run with the device.

But somehow I don't understand the Keycloak error message.

`2024-01-26 11:54:26,048 INFO [netzbegruenung.keycloak.authenticator.gateway.SmsServiceFactory] (executor-thread-1) API request: (POST https://mySMSEagleURL/api/v2/messages/sms) 400

2024-01-26 11:54:26,048 ERROR [netzbegruenung.keycloak.authenticator.gateway.SmsServiceFactory] (executor-thread-1) Failed to send message to 0157xxxxxxxx with answer: {"message":{"to":"The type of the attribute must be one of array (string given)."}}. Validate your config. `

melegiul commented 8 months ago

I am sorry. I guess that the SMSEagle API is not supported. It seems, that the API is expecting some payload to be as array. But our implementation only supports passing configs as strings.

Here you can have a look at how the JSON Payload send to the API will look like: https://github.com/netzbegruenung/keycloak-mfa-plugins/blob/4d3dcb63799eb99e114ac0a195888a5b6b582d2b/sms-authenticator/src/main/java/netzbegruenung/keycloak/authenticator/gateway/ApiSmsService.java#L101

Most values come from the Authenticator config, but only passed as string values unfortunately.

JBBERLIN77 commented 8 months ago

Yes, an array is expected by the SMSEagle API. SMSEagle only accepts strings as HTTP GET requests, so unfortunately you cannot use your URLencode because they are also sent by POST.

Then I'll have to build a bash script that monitors the logs in simulation mode and then transmits the copied variables to SMSEagle. Because unfortunately I am not the JAVA crack for rewrite. ;)

Or do you know a hardware SMS gateway device that works with Plugin without any problems?

melegiul commented 8 months ago

Any device should work, you just need a compatible API. You could use a proxy which maps the requests of this plugin to compatible requests send to the SMS provider or implement this interface with a custom request:

https://github.com/netzbegruenung/keycloak-mfa-plugins/blob/4d3dcb63799eb99e114ac0a195888a5b6b582d2b/sms-authenticator/src/main/java/netzbegruenung/keycloak/authenticator/gateway/SmsService.java#L24

Then just run mvn clean install and you find the jar file in sms-authenticator/target folder.

svenseeberg commented 6 months ago

@JBBERLIN77 can you provide an example what the Payload needs to be exactly? I guess it would be possible to implement support for that.

melegiul commented 6 months ago

@svenseeberg Here: https://www.smseagle.eu/docs/apiv2/#tag/Send

To, contacts, groups are expected to be arrays all. But our client sends strings only.

JBBERLIN77 commented 6 months ago

There are plenty of examples on the SMSeagle website. I actually assumed that Wolke Grün Berlin also uses its own HW SMS gateway because I receive an SMS every time I log in. And an HW SMS gateway saves costs through flat rate SMS tariffs.

Once old APIv1 plain GET or JSONRPC:

https://www.smseagle.eu/apiv1/

And the new APIv2 as a JSON array:

https://www.smseagle.eu/docs/apiv2/

svenseeberg commented 6 months ago

I actually assumed that Wolke Grün Berlin also uses its own HW SMS

We use a secondary SMS proxy that switches between different providers and hardware devices.

Then I'll have to build a bash script that monitors the logs in simulation mode and then transmits the copied variables to SMSEagle.

I think it would be easiest to implement a HTTP GET as an alternative to the HTTP POST that we currently have. Then you could simply use the "Send SMS: HTTP GET method" from the documentation by setting the variable names accordingly.

svenseeberg commented 2 months ago

It seems that API version 2 of SMS Eagle changed a bit. It now works without problems:

The configuration values would have to be the following:

SMS API URL: http://SMSEAGLEIP/api/v2/messages/sms_single
URL encode data: off (use JSON body)
API Secret Token attribute: access_token
API secret: your API secret
Basic Auth Username: empty
Message Attribute: text
Receiver Phone Number Attribute: to
Sender Phone Number Attribute: from (should be ignored)

*edit: I updated the documentation with details about the configuration: https://github.com/netzbegruenung/keycloak-mfa-plugins/tree/main/sms-authenticator#setup

svenseeberg commented 2 months ago

It seems that the need for a HTTP GET request is no longer there. I will close the issue.

JBBERLIN77 commented 2 months ago

The SMSEagle DevTeam has written an integration for Keycloak based on your plugin!

https://www.smseagle.eu/integration-plugins/keycloak-sms-otp/