p2-inc / keycloak-magic-link

Magic Link Authentication for Keycloak
https://phasetwo.io
Other
245 stars 50 forks source link

Magic Link for authentication session continuation #57

Closed xgp closed 9 months ago

xgp commented 1 year ago

Feature request for a magic link that can cause a continuation of an authentication session already underway.

Use case

  1. User authenticates and is challenged by sending a magic link to email, using a custom Authenticator
  2. Page polls for completion of challenge (e.g. is an auth note set/unset). This can just be a custom FTL with a javascript reload. Page tells them not to close the page.
  3. Magic link is an action token that encodes the authentication session ID and tab ID and client ID
  4. User clicks on link, potentially in a separate device. Page gives a success message and tells them to return to the initial page. If it is the same device, it also gives them a link to go to the application (this just joins the authentication session and continues with a success).
  5. Action token handler looks up the authentication session by ID and tab ID and client ID and allows it to continue (by setting an Auth Note)
  6. Polling picks up that the link has been clicked (by checking the Auth Note), and automatically continues the authentication with a success.
  7. After a configurable amount of time, the Authenticator gives up and provides an error message to the user that the link has expired.

relevant KC code

AuthenticationSessionProvider p = session.authenticationSessions();
RootAuthenticationSessionModel m = p.getRootAuthenticationSession( realm,  authenticationSessionId);
// look up clientByClientId
AuthenticationSessionModel asm = m.getAuthenticationSession( client,  tabId)
xgp commented 9 months ago

Need to create

See existing Magic link code.

Please add documentation to the README

xgp commented 9 months ago

Closed by https://github.com/p2-inc/keycloak-magic-link/pull/68