Most of it is already done. But still the HTTP Signatures replacement and the consistency check on setup (e.g. on setup a signature is sent and checked with the supplied public key) is open.
Open Issues
Replace HTTP Signatures with verification of client-side generated JWT
Verify code challenge on Action-Token-endpoint (authenticate) from the code_verifier query parameter
Todo
[x] Delete login attempt/challenge after Action-Token-endpoint (for authenticate) was succesful called
[x] Implement auto refresh of the Setup/Authenticate Keycloak page via Server Sent Events
[x] Response payload of Get-Challenges-endpoint returns a list of challenges instead of a single one
[x] Update Error Responses
[x] Get Challenges and Reply Challenge Endpoint need to return the 409 error also when there is no login attempt. Otherweise the client does'nt know if the authenticator needs to get removed.
[x] Remove OpenAPI spec
[x] Rework documentation (readme)
[x] Return clientName and clientUrl in payload of Get-Challenges-endpoint
[ ] Consistency check on setup
[x] Reduce expiration for the app-auth-action-token to 60 seconds
[x] Make expiration for app-auth-action-token configurable Admin UI
[x] Rename attribute secret in Challenge DTO to codeChallenge
[x] Remove device_id query parameter on Get-Challenges-endpoint retrieve it from the signature
See https://github.com/netzbegruenung/keycloak-mfa-plugins/pull/63#issuecomment-1816379363
Most of it is already done. But still the HTTP Signatures replacement and the consistency check on setup (e.g. on setup a signature is sent and checked with the supplied public key) is open.
Open Issues
code_verifierquery parameterTodo
409error also when there is no login attempt. Otherweise the client does'nt know if the authenticator needs to get removed.clientNameandclientUrlin payload of Get-Challenges-endpointsecretin Challenge DTO tocodeChallengedevice_idquery parameter on Get-Challenges-endpoint retrieve it from the signature