Comments (7)
Thanks for the question @AlbertMirSoftonic . In the case of email OTP, it's not possible to invoke via API.
In the case of magic link, the link that is created can be opened in any browser, regardless of whether or not it uses the same authentication session. This is because it uses an "Action Token" that encodes all of the necessary information to create a new session and log in the user.
In the case of email OTP, once the code has been created and sent, it stores it in the authentication session (in something called an "Auth Note"), which is specific to the browser and session that is already underway.
from keycloak-magic-link.
Also, on page 101 of the Keycloak book, there's a suggestion for how to use custom URI schemes. E.g. org.acme.app://oauth2/provider-name
, which has a suggestion for how to open a temporary web server on the app at a temporary loopback port in order to get the code to do the code-to-token flow. This would work likely work with a magic link with the correct app URI as the redirect.
Anyway, it's not my content to copy here, but if you have the book, it might be one route to consider.
from keycloak-magic-link.
We're building a native mobile app and we need a simple mechanism to authenticate users using Keycloak without using the browser (only the rest API).
And we thought that the best approach here is to send users an OTP via email and use this OTP to get an access token since we consider the email account a valid verified entity.
Is there a way to exchange the OTP with an access token, without using the website, or can give us some light on reaching this mobile app authentication?
Thanks @xgp!
from keycloak-magic-link.
I understand what you're going for, but the "without using the browser (only the rest API)" is generally not a recommended security practice. I would suggest using a standard flow with a library like AppAuth (e.g. for iOS: https://github.com/openid/AppAuth-iOS).
It certainly would be possible for you to generate an OTP, save it as a Credential, and then expose a REST extension where you could send the username and OTP in exchange for a token. A lot of the primitives for what you'd have to build are there in this code. However, you'll be on your own for maintaining it, as it's a big risk if you get it wrong.
from keycloak-magic-link.
The thing is that apps like AppAuth open a browser to authenticate users and this is exactly what we try to avoid. Apart from the fact that this does not fit our product requirements, we consider that this approach is not too simple in terms of UX.
Do you know if there's any other more-native approach (perhaps using an SDK βlike on Firebase) to login using the OTP code or even the Magic Link?
from keycloak-magic-link.
If you absolutely can't use the browser, I can't think of a great way to do it.
There's OIDC password grant type, which would allow you to exchange a username/password for a token via the Keycloak client OIDC endpoint.
from keycloak-magic-link.
Ok. Thanks a lot for all your clarifications! π
from keycloak-magic-link.
Related Issues (20)
- Installation not working HOT 11
- Prebuilt `.jar` files HOT 3
- Apache Server Authentication and Authorization HOT 6
- Issue regarder required actions update HOT 2
- Magic Link for authentication session continuation HOT 2
- Need help setting up magic link with Grafana HOT 4
- Default group assignment after user creation HOT 1
- NullPointerException in MagicLinkAuthenticator if forceCreate is false HOT 2
- Use in combination with multiple factors HOT 2
- Failed authentication: java.lang.IllegalStateException: Magic links not allowed for master realm HOT 3
- Add force create user to Email OTP and Magic Link Continuation HOT 3
- Issuer/audience do not behave the same between production and dev HOT 3
- keycloak-magic-link-0.10.jar producing error HOT 1
- C# Owin Application doesnt populate AuthenticationTicket HOT 1
- How to use magic link and password parallel? HOT 1
- Enhancement - Request to add username attribute to the token HOT 4
- Email OTP authentication flow not available HOT 1
- Keycloak 25.0.0 support HOT 2
- Rep is null on POST to magic-link HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from keycloak-magic-link.