Closed Nefcanto closed 2 months ago
I'm not 100% sure if I understand the problem correctly. We already have the following settings that basically allows you the send the SMS with an API call to your custom SMS proxy:
That means you can already configure a URL, authentication & attribute names for the message, the receiving and sending phone number.
Mostly missing is currently a HTTP GET option, which would be relatively easy to implement. See #67 for reference.
@svenseeberg thank you for the explanation. The first point prior to this configuration is that your plugin is for 2FA or MFA.
Can you extend it to be used as one-factor authentication? I want to use your plugin, and this is the login scenario:
This means that we don't have a sign-up. Sign-up and sign-in are both the same thing. If the user requests the OTP for the first time, that means registration (phone number would become the user name, password can be empty).
AFAICT currently it is not possible to use this SMS plugin as a standalone authentication step. This is a generic problem that also affects Webauthn, see https://github.com/keycloak/keycloak/issues/12102.
However, you can create a authentication flow that first asks the user for a Username form
(without password) and then only for the SMS. IMHO that should work as this plugin behaves as a generic authentication step.
*edit: You could, of course, store the phone number in the username field. With #84 you could then implement the workflow as you described.
@svenseeberg, thank you for your time. The point is when we ask users for their usernames, it defies our main purpose in the first place: the simplicity of login. Phone/OTP login is simple though it's less secure.
Based on @svenseeberg comment I created this issue.
The main requirement for this plugin to be useful for the community is to abstract sending an SMS from the rest of the plugin. This can be done by a middle API provided by teams that use your plugin. This API would act as a proxy. Receives data from you by your contract, then sends it to a phone carrier.
We install your plugin. Then activate it and replace the current email/password form flow. Then we somehow give you our API endpoint.
When the end user enters his phone number, you call our API with every parameter that's needed, including the realm, the phone number, the user id of the Keycloak, the OTP (or TOTP or any other code) that we should send to the end user.
This way you don't need to support myriads of phone carriers. You just create a contract. We create the API and connect it to our carriers.
Thank you