Keycloak is an open source identity and access management solution. This codebase extends provisioning 2 Factor Authentication (2FA) through non-interactve API methods ✨
Our project extends Keycloak with a custom RealmResourceProvider. This allows for 2FA via API calls. The APIs are authenticated with manage-2fa
permission, and require the calling account to be a service account.
This extension also verifies that the target user is not service account for additional security check.
Validation is performed on all calls, following:
manage-2fa
permissionDescription: Generates 2FA data for a user to setup Totp on user's device.
Method: GET
Path: /manage-2fa/{user_id}/generate-2fa
Response example:
{
"encodedTotpSecret": "OZJU43ZUIN2VO4BZKBYEWMLBOEZUSQKL",
"totpSecretQRCode": "iVBORw0KGgoAAAANSUhEUgAAAPYAAAD2AQAAAADNaUdlAAACmklEQVR4Xu2YPc6DMAyGXTEwcoTcpLkYEkhcrL1JjtCRAeHvfR1ABVVdvsEe6gFRP0Fy/Benol9lkavmLD9+1Zzlx6+as5C/ROT26lOrr0bne6elJYAMMfig+nwNhW946KS6dksyEIL30j6xCeVjlk5V7uDYUyTelBkeTUAjfmo0DoU+EHDJGo7v8ad/W8a/XaX/kB9efK+f5/vjQ3058Spj0lWQBFm1yB3IJAJH15GbTmW+g1vUBUXEdN32582tNaK0WdVoPaNYknJRDD7Qaix6sL4pc67fbPZ784au7QWmT2iNeLPl6ER7/J35gFh3E+rbkgBaZgI7URAOgzOzEqan+QYd7G9qEYXgkmD/IjX+0BbOD8m+CcFpKzj7N/NzUORnXRmEa50acvUqnJx3XQhOWzv07wcUKCLMh/V83vPTmaslJM7nBxZZ/wGfuJ3qX2/O/mhTF7i1Rquft/p25hxoMB/ao5jW+s/Rv7057G9Xxn9l6fCQhqen0nJcDMGt/9itZEwYDe04xOOIvzsXq2rEH1lp/YeXPE5iIbhqobawK+L+hJVIAmxn9683R8EAVa/SyROW09PPfX/OXHn0waF2oLTktcj3+Htz5Ge7FTn8LFwpHMKO+cubIyEJWNU6b6Vz6j/+POPAQ2k3jP9ikywOwSAcgvgv3IKwyFHaN+Ys0zUGt/4Nq8UuUeS4jh7x9+b16OutoHkTWLCIeznmH2dugkWsak6tvfCQoc9jcFY1bC30b9qv7u/3T28+8P8jU2Dqov3WGt/7jy/n/29EkGRVIxb/rIE4+g+bZOKkQ09jCKOE4jbkWH9UVtLJv558YPx5oOjI0u6ZpPY2xODwqzXsbEMOd5LrTLvZ78y/yY9fNWf58avmLP/mf9HIqC/AJ2L7AAAAAElFTkSuQmCC"
}
encodedTotpSecret
can be used when it is not possible to scan a qr code.
Description: Submits 2FA data for a user to enable Totp credential for user in KeyCloak.
Method: POST
Path: /manage-2fa/{user_id}/submit-2fa
Request example:
{
"deviceName": "test",
"totpInitialCode": "709716",
"encodedTotpSecret": "OZJU43ZUIN2VO4BZKBYEWMLBOEZUSQKL",
"overwrite": true
}
Response: On success empty response with 204
status code will be returned.
Here deviceName
refers to the device on which we want to enable 2FA. totpInitialCode
refers to the initial
6-digit code taken from 2FA Application (Authy, Google authenticator) by user. encodedTotpSecret
refers to the
Totp secret that was received before by generate-2fa
call. overwrite
if set to true, overwrites existing 2FA data for
that particular device.
If caller do not want to support multiple devices, it is perfectly fine to only pass one const device name.
Description: Validates 2FA code submitted by user for a device.
Method: POST
Path: /manage-2fa/{user_id}/validate-2fa-code
Request example:
{
"deviceName": "test",
"totpCode": "700945"
}
Response: On success empty response with 204
status code will be returned.
deviceName
refers to the device for which we want to enable 2FA. totpCode
refers to 6-digit code taken from 2FA Application (Authy, Google authenticator) by user.
If caller do not want to support multiple devices, it is perfectly acceptable to only pass one const device name.
Protoreality Games https://protorealitygames.com/ Created: June 2022
Apache 2.0