keycloakstorageone-time-passwordkeycloak-spi

KEYCLOAK: OTP using a custom user storage SPI

Good day, I was wondering if any anyone has information on how to implement 2fa using OTP in keycloak with a custom user storage SPI.

I already have an extension for my SQL Server database, and I can login using their password (BCrypt). But, I can't configure OPT for them, since they are Read-only users (Federated). Reading the documentation, I found that users from LDAP can be synced into keycloak to be able to do this (obviously with the writing overhead).

Does anyone has any idea on how to do this? or maybe, how to enable this without caching them locally?

Solution

  • Well, I was wrong with my previous answer, I will leave it there just because it might be usefull for someone else, so, here's the full history on how to do this...

    FULL OTP support in my external DB

    Well, finally after more than a week (on my new project) I got this working with Keycloak 18.0. What do you need to do?, simply, you have to implement each and every step in the authentication workflow:

    1. Create your user storage SPI
    2. Implement Credential Update SPI
    3. Implement a custom Credential Provider SPI
    4. Implement a custom Required Action SPI
    5. Implement your authenticator SPI
    6. Implement your forms (I kinda used the internal OTP forms in KC)
    7. Enable your Required action
    8. Create a copy of the browser workflow and plaster there your authenticator

    And what do we get with this?

    1. We get a fully customizable OTP authenticator (realm's policy pending...)
    2. You can use that code for verification in your app (it's in your db), like, the user is already authenticated and you want then to verify a password/code to confirm some action
    3. You can setup users for OTP authentication in your app (no KC admin page involved, so, you can leave the admin page outside the firewall/proxy)

    In my opinion, this is kinda annoying, since there are a lot of loops we have to make to be able to store our data locally and how to deal with the integrated OTP forms (for a "natural look"), but it gives me full control over my OTP integration, also, I can backup my database and their OTP authentication is still there, so, if I have a failure in a KC upgrade or it gets corrupted, I still have all that data.

    Lastly, heres what it should look like when your manager has the custom OTP authenticationenter image description here