0

How to bypass username/password authentication with mobile number/OTP (sent via SMS) for Keycloak

Rpj
  • 5,348
  • 16
  • 62
  • 122
  • 1
    Why do you want to do that? Is this some kind of malicious software or something? – EJoshuaS - Stand with Ukraine Oct 15 '20 at 15:50
  • @EJoshuaS-ReinstateMonica the intention is to authenticate with mobile number and the OTP sent to him via SMS instead of username/password credentials. Most of the time users forget the password, hence the above approach. Does it not make sense, I though this is very prevalent for mobile users – Rpj Oct 15 '20 at 15:54
  • Our intention is to support both approaches, i.e username/password and mobile number/OTP (via SMS) and no 2FA – Rpj Oct 15 '20 at 15:55
  • That makes more sense, then. – EJoshuaS - Stand with Ukraine Oct 15 '20 at 15:55
  • Not sure why this was closed, if you could state why it was focusing on more than one problem it would be helpful to understand – Rpj Oct 17 '20 at 17:27

1 Answers1

1

You have to implement custom authentication flow (see Admin Console -> Authentication -> Flows). Your flow should include two branches: one for login/password, and second for SMS/OTP. For every subflow you should implement dedicated Authenticator SPI with Conditional requirement. From client side your applications should supply some data (e.g. additional http param) that will be used by Conditional Authenticators to make a decision about routing through authentication flow.

Detailed guideline for authentication flow development

Authenticator development docs

P.S. I'm not familiar with latest keycloak version, maybe there are already exists some facilities for your goal.

solveMe
  • 1,866
  • 1
  • 18
  • 20