Keycloak passwordless authentication
Today, more and more services are migrating to the cloud, which requires us to have an infinite amount of accounts and, of course, passwords. Though many apps were created to help users store and generate safe passwords, they still might not be as secure as one-time passwords.
Although many identity and access managers like Auth0 and Okta provide support for passwordless authentication, one might eliminate them as a valid option due to their costs or other technical limitations.
Enter Keycloak
Keycloak is an open-source software mainly developed by RedHat that is able to handle both authentication and authorization, while still being highly customisable via plugins or via its admin console. Although it does not support passwordless authentication out-of-the-box, it’s fairly easy to add it without a single line of code. The following sections of this article demonstrates how you can configure Keycloak to authenticate users using One-time password (OTP) apps like Google Authenticator or Authy.
This article assumes that you already have a Keycloak instance up and running and there is at least one realm created with enabled registration via web forms.
Configuring Browser Auth Flow
First, we need to configure the login flow to stop requesting a password, and instead, request an OTP code from the user. To do this, the following steps are needed:
- Select the desired realm or create a new one;
- Select the
Authentication
Menu on the left panel; - On the
Flows
Tab, click on thebrowser
flow menu and then clickDuplicate
;
- A modal will open, name the new flow
Otp-browser-auth
and then click onDuplicate
;
- The newly created Browser flow will be opened;
- Delete all steps under
Otp-browser-auth forms
; - Add a
Username Form
step forOtp-browser-auth forms
;
- Now do the same process, but add a
OTP Form
step forOtp-browser-auth forms
;
- Make both
Otp-browser-auth forms
andOTP Forms
Required
;
Configuring the Registration Flow
The registration flow must be changed to ask for an OTP code instead of a password, since the latter won’t be used anymore. To create a new registration flow, follow these steps:
- Select the desired realm;
- Select the
Authentication
Menu on the left panel; - On the
Flows
Tab create a copy for theRegistration
flow and name itOtp-Registration-Form
(same process we did it forOtp-browser-auth
); - Mark the
Password Validation
step asDisabled
; - Click on
Add Step
at the top of the page, add aOTP Form
step and mark it asRequired
; - Your registration flow should look like this
Enabling the new flows
In order to enable the new flows, we need to tell Keycloak to use them by following these steps:
- Select the desired realm;
- Select the
Authentication
Menu on the left panel; - Click on the
Otp-browser-auth
menu and then click onBind flow
, then selectBrowser Flow
and hitSave
; - Click on the
Otp-Registration-Form
menu and then click onBind flow
, then selectRegistration Flow
and hitSave
;
After the steps above, Keycloak’s bindings should look something like this:
Testing
Now that Keycloak is configured, we can test everything. Let’s start by initiating an auth flow for a client in our realm, registering a user and logging in.
You can do that by going to http://<your-keycloack-domain>:<port>/realms/<your-realm>/account/#/ and clicking on “Sign In”
Once the flow is started, Keycloak will send us to the login page that should look like the image below. Notice that there’s no password field.
Since there are no users, let’s register one via the Register
link which will lead us to the registration form.
Once the basic info is provided and the Register
button is clicked, Keycloak will ask us to register the OTP seed using an app like Google Authenticator or Authy.
After that, the user is ready and we can log-in. Start by going back to the login page and fill the user’s email
and click on Login
.
If the username
or email
is valid and exists on the database, Keycloak will ask for an OTP which should be obtained via the Google Authenticator or Authy.
And voilà.