Allow SMS to be used as the primary (standalone) authenticator

netzbegruenung / keycloak-mfa-plugins

Keycloak plugins for MFA (enforce MFA, SMS authentication step, native app integration)

Apache License 2.0

71 stars 21 forks source link

Allow SMS to be used as the primary (standalone) authenticator #88

Closed Nefcanto closed 2 months ago

Nefcanto commented 3 months ago

Based on @svenseeberg comment I created this issue.

The main requirement for this plugin to be useful for the community is to abstract sending an SMS from the rest of the plugin. This can be done by a middle API provided by teams that use your plugin. This API would act as a proxy. Receives data from you by your contract, then sends it to a phone carrier.

We install your plugin. Then activate it and replace the current email/password form flow. Then we somehow give you our API endpoint.

When the end user enters his phone number, you call our API with every parameter that's needed, including the realm, the phone number, the user id of the Keycloak, the OTP (or TOTP or any other code) that we should send to the end user.

This way you don't need to support myriads of phone carriers. You just create a contract. We create the API and connect it to our carriers.

Thank you

svenseeberg commented 3 months ago

I'm not 100% sure if I understand the problem correctly. We already have the following settings that basically allows you the send the SMS with an API call to your custom SMS proxy:

That means you can already configure a URL, authentication & attribute names for the message, the receiving and sending phone number.

Mostly missing is currently a HTTP GET option, which would be relatively easy to implement. See #67 for reference.

Nefcanto commented 3 months ago

@svenseeberg thank you for the explanation. The first point prior to this configuration is that your plugin is for 2FA or MFA.

Can you extend it to be used as one-factor authentication? I want to use your plugin, and this is the login scenario:

The user comes to the sign-in page
He enters his phone number
You call my API
I send the OTP to the user
The user enters the OTP
He gets signed in

This means that we don't have a sign-up. Sign-up and sign-in are both the same thing. If the user requests the OTP for the first time, that means registration (phone number would become the user name, password can be empty).

svenseeberg commented 3 months ago

AFAICT currently it is not possible to use this SMS plugin as a standalone authentication step. This is a generic problem that also affects Webauthn, see https://github.com/keycloak/keycloak/issues/12102.

However, you can create a authentication flow that first asks the user for a Username form (without password) and then only for the SMS. IMHO that should work as this plugin behaves as a generic authentication step.

*edit: You could, of course, store the phone number in the username field. With #84 you could then implement the workflow as you described.

Nefcanto commented 2 months ago

@svenseeberg, thank you for your time. The point is when we ask users for their usernames, it defies our main purpose in the first place: the simplicity of login. Phone/OTP login is simple though it's less secure.