SMS-Auth: APi Gateway Returns Error - User does not know

[alexanderhofstaetter]

When the API Gateway returns an error code it outputs the log that there was an error, however, the user still gets the SMS code input gets shown?

Just as a note, dont know how to handle this currently

[svenseeberg]

Currently the user does not receive an error notification, no. We have not tackled this as we get the return codes asynchronously and therefore do not know if the SMS was sent when the user reloads the page. However, we have not yet received many complaints. This obviously depends on the stability of the SMS API.

[melegiul]

Actually we send the request synchronously, blocking for the response if necessary. https://github.com/netzbegruenung/keycloak-mfa-plugins/blob/209a40e806feb5d8d81b58873af89403006ae7b2/sms-authenticator/src/main/java/netzbegruenung/keycloak/authenticator/gateway/ApiSmsService.java#L91 https://docs.oracle.com/en%2Fjava%2Fjavase%2F11%2Fdocs%2Fapi%2F%2F/java.net.http/java/net/http/HttpClient.html#send(java.net.http.HttpRequest,java.net.http.HttpResponse.BodyHandler)

We should indeed improve here the UX by for example showing a error message to the user. Also we could add a retry button, which either sends the SMS Code again to the same number or let the user enter the phone number again to correct possible typos. This retry button could be present independent of the SMS Sent Status, because we had some cases where a custom provider reported success while actually no SMS was sent.