KEYCLOAK: OTP using a custom user storage SPI

Question

Good day, I was wondering if any anyone has information on how to implement 2fa using OTP in keycloak with a custom user storage SPI.

I already have an extension for my SQL Server database, and I can login using their password (BCrypt). But, I can't configure OPT for them, since they are Read-only users (Federated). Reading the documentation, I found that users from LDAP can be synced into keycloak to be able to do this (obviously with the writing overhead).

Does anyone has any idea on how to do this? or maybe, how to enable this without caching them locally?

Answer 1

Well, I was wrong with my previous answer, I will leave it there just because it might be usefull for someone else, so, here's the full history on how to do this...

FULL OTP support in my external DB

Well, finally after more than a week (on my new project) I got this working with Keycloak 18.0. What do you need to do?, simply, you have to implement each and every step in the authentication workflow:

1. Create your user storage SPI
2. Implement Credential Update SPI
3. Implement a custom Credential Provider SPI
4. Implement a custom Required Action SPI
5. Implement your authenticator SPI
6. Implement your forms (I kinda used the internal OTP forms in KC)
7. Enable your Required action
8. Create a copy of the browser workflow and plaster there your authenticator

And what do we get with this?

1. We get a fully customizable OTP authenticator (realm's policy pending...)
2. You can use that code for verification in your app (it's in your db), like, the user is already authenticated and you want then to verify a password/code to confirm some action
3. You can setup users for OTP authentication in your app (no KC admin page involved, so, you can leave the admin page outside the firewall/proxy)

In my opinion, this is kinda annoying, since there are a lot of loops we have to make to be able to store our data locally and how to deal with the integrated OTP forms (for a "natural look"), but it gives me full control over my OTP integration, also, I can backup my database and their OTP authentication is still there, so, if I have a failure in a KC upgrade or it gets corrupted, I still have all that data.

Lastly, heres what it should look like when your manager has the custom OTP authentication

Answer 2

Well, for anyone who's interested in this, making this possible on keycloak is not that hard, you just have to understand that keycloak doesn't treat federated user as it's own users (so it is not possible to make them editable, as far as I could see).

So then, how can I solve 2FA with keycloak?, easy, once you get rid of the idea of implementig the TOTP or HOTP from keycloak you can create your own implementation of 2FA using the existing form from OTP.

The steps for replicating this is:

• Create a federate user store (guess this isn't hard if you're reading this question)
• Create a rest-api for interacting with keycloak and your user-store (this step is optional, I just did it because my back-end is on .Net and I wanted all my authentication logic in keycloak) so you can generate secrets for your 2FA (OTP private key, SMS phone number, ...)
• Create a custom authentication class based and use the OTP form to read the data (don't worry, you can customize the title and label of it, also, you can make this optional using the attributes from your user storage)

To do this, I basically had to download keycloak's source code and analyze how it authenticates internally using password and OTP.

If anyone is interested in doing this you can DM me