Keycloak passwordless authentication
Today, more and more services are migrating to the cloud, which requires us to have an infinite amount of accounts and, of course, passwords. Though many apps were created to help users store and generate safe passwords, they still might not be as secure as one-time passwords.
Although many identity and access managers like Auth0 and Okta provide support for passwordless authentication, one might eliminate them as a valid option due to their costs or other technical limitations.
Enter Keycloak
Keycloak is an open-source software mainly developed by RedHat that is able to handle both authentication and authorization, while still being highly customisable via plugins or via its admin console. Although it does not support passwordless authentication out-of-the-box, it’s fairly easy to add it without a single line of code. The following sections of this article demonstrates how you can configure Keycloak to authenticate users using One-time password (OTP) apps like Google Authenticator or Authy.
This article assumes that you already have a Keycloak instance up and running and there is at least one realm created with enabled registration via web forms.
Configuring Browser Auth Flow
First, we need to configure the login flow to stop requesting a password, and instead, request an OTP code from the user. To do this, the following steps are needed:
- Select the desired realm or create a new one;
- Select the
AuthenticationMenu on the left panel; - On the
FlowsTab, click on thebrowserflow menu and then clickDuplicate;
- A modal will open, name the new flow
Otp-browser-authand then click onDuplicate;
- The newly created Browser flow will be opened;
- Delete all steps under
Otp-browser-auth forms; - Add a
Username Formstep forOtp-browser-auth forms;
- Now do the same process, but add a
OTP Formstep forOtp-browser-auth forms;
- Make both
Otp-browser-auth formsandOTP FormsRequired;
Configuring the Registration Flow
The registration flow must be changed to ask for an OTP code instead of a password, since the latter won’t be used anymore. To create a new registration flow, follow these steps:
- Select the desired realm;
- Select the
AuthenticationMenu on the left panel; - On the
FlowsTab create a copy for theRegistrationflow and name itOtp-Registration-Form(same process we did it forOtp-browser-auth); - Mark the
Password Validationstep asDisabled; - Click on
Add Stepat the top of the page, add aOTP Formstep and mark it asRequired; - Your registration flow should look like this
Enabling the new flows
In order to enable the new flows, we need to tell Keycloak to use them by following these steps:
- Select the desired realm;
- Select the
AuthenticationMenu on the left panel; - Click on the
Otp-browser-authmenu and then click onBind flow, then selectBrowser Flowand hitSave; - Click on the
Otp-Registration-Formmenu and then click onBind flow, then selectRegistration Flowand hitSave;
After the steps above, Keycloak’s bindings should look something like this:
Testing
Now that Keycloak is configured, we can test everything. Let’s start by initiating an auth flow for a client in our realm, registering a user and logging in.
You can do that by going to http://<your-keycloack-domain>:<port>/realms/<your-realm>/account/#/ and clicking on “Sign In”
Once the flow is started, Keycloak will send us to the login page that should look like the image below. Notice that there’s no password field.
Since there are no users, let’s register one via the Register link which will lead us to the registration form.
Once the basic info is provided and the Register button is clicked, Keycloak will ask us to register the OTP seed using an app like Google Authenticator or Authy.
After that, the user is ready and we can log-in. Start by going back to the login page and fill the user’s email and click on Login.
If the usernameor email is valid and exists on the database, Keycloak will ask for an OTP which should be obtained via the Google Authenticator or Authy.
And voilà.
