TOTP name wrong in Enforce MFA dialog

netzbegruenung / keycloak-mfa-plugins

Keycloak Authentication Provider implementation to get a 2nd-factor authentication with a OTP/code/token send via SMS

Apache License 2.0

42 stars 9 forks source link

TOTP name wrong in Enforce MFA dialog #77

Closed svenseeberg closed 1 month ago

svenseeberg commented 2 months ago

The TOTP option seems to show a very generic title from https://github.com/keycloak/keycloak/blob/main/themes/src/main/resources-community/theme/base/email/messages/messages_de.properties#L29 instead of https://github.com/netzbegruenung/keycloak-mfa-plugins/blob/main/enforce-mfa/src/main/resources/theme-resources/messages/messages_de.properties#L5

Example:

beezerk23 commented 1 month ago

Hey @svenseeberg , nothing to do with your topic but maybe could you share your flow configuration to get the screenshot? Currently my configuration looks like this: Screenshot 2024-06-03 at 08 56 29

But for some reason i only see Passkey/FIDO2 as an option to choose.

Would highly appreciate an answer :)

melegiul commented 1 month ago

Hey @beezerk23,

when you see only Passkey as an option, the reason might be that the user already set up Passkey as 2FA. Please make sure that all 2FA methods are removed from the user account. Then during next login, you see the 2FA enforcement dialog after you submitted the password.

See also this (in the screenshot the second subflow should be actually conditional and not required): https://github.com/netzbegruenung/keycloak-mfa-plugins/tree/main/enforce-mfa#how-to-use-this-authenticator

beezerk23 commented 1 month ago

Hey @melegiul, where can i check if the user has already 2FA set? Its a completely new user so i think that will not be the case but just to be sure i would like to check.

I think my configuration is exactly the same as in the screenshot you shared. Can you elaborate a bit more what i may miss?

melegiul commented 1 month ago

Yes, sure. You can make sure which 2FA are set for a user in the admin console. They would be listed under the password.

Another thing you should be aware of is, that the list of choices represents "required actions triggers". So you should also make sure that all related required actions are enabled on this page also in admin console: /admin/master/console/#/master/authentication/required-actions.

beezerk23 commented 1 month ago

@melegiul That was it. I needed to activate the phone number action on required action. Now the SMS option is showing. Thanks!

melegiul commented 1 month ago

Im glad to hear that. You are welcome.

melegiul commented 1 month ago

The TOTP option seems to show a very generic title from https://github.com/keycloak/keycloak/blob/main/themes/src/main/resources-community/theme/base/email/messages/messages_de.properties#L29 instead of https://github.com/netzbegruenung/keycloak-mfa-plugins/blob/main/enforce-mfa/src/main/resources/theme-resources/messages/messages_de.properties#L5

Example:

Yes, that is right. It seems like we must take care ourselves to avoid any key conflicts with other SPIs. Actually only themes can override. https://github.com/keycloak/keycloak/issues/11186#issuecomment-1111819696