How FIDO2 Passwordless Authentication Works With Keycloak

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

foreign [Music] into how we can do passwordless authentication using 502 standards now this 502 standard consists of web authent and client to authenticator protocol so now what we would be doing is we would be setting up geek look to work with this passwordless authentication mechanism and we are going to do this passwordless authentication mechanism by authenticating using a fingerprint on a laptop and then also set this up on our phone using the fingerprint on my phone itself so with this let's get started before we actually start looking into the setup for key Globe let's understand actually how this authentication works so this is a registration process that I have put it out into a flow diagram wherein we have the client which initiates the registration the server then responds with a particular challenge code now what the browser does is it invokes this web attend API with the challenge now the web attained API finds the available authenticators it then shows it to the user then the user selects this particular authenticator which he wants like it could be from the laptop or it could be a phone and then after that it generates a public and private key pair it uses the private Key signs that particular challenge which was being sent here and then stores the private key on the device itself it then finally sends that public key and the signature which was generated as a part of signing here and sends it to the server now what the server does is it validates the signature using the public key and then stores the public key against that particular registration and then it completes a particular registration now this is the registration flow for actually generating this passwordless authentication now actually let's look into how the authentication happens so I have this yet another flow diagram here so in this flow diagram what the client does is first it initiates a login the server first sends the challenge to the client now what the browser does it invokes this with the web authent API now the web or 10 API prompts the authenticator the user authenticates using the authenticator now this could be using from the Mac the fingerprint or from your phone a fingerprint or a pin and then afterwards the web authent then gets access to the private key and using the private key it then signs that particular Challenge and sends the signature back to the server now what the server does is it actually validates that incoming signature with the public key that it had stored during the registration and in this way it figures out if the login is success full or not with this understanding now actually let's go and set this up in our key clock instance so for this I have a Docker image here so let me open this and if you see here I'm using the key cloak version 18 here and it has default admin passwords here and I'm going to expose this at 8080 Port so with this let's actually start key cloak local compose up okay so with this key cloak has started now let's actually access it so localhost 8080 and let's actually log into the admin console so here I'm going to specify admin admin so first thing what we're going to do is we are going to create a new realm so here I'm going to specify 502 and I'm going to create this so with the realm now created what we are going to do is we are going to change the authentication flow so let's go to authentication and here if you see in the flows here you see this browser flow right what we are going to do now is we are going to make a copy of this particular browser flow so I'm going to click here the option copy and I'm going to call this as Fido flow and say okay now this will actually create a copy of the browser flow so here what we are going to do we are going to actually delete this Fido flow form here so we're going to go to this actions and say delete and now what we're going to do we are going to actually add a new flow so we're going to say new flow and we're going to give this as Fido authentication and the flow type is going to be generic so when I say save if you see here now finder authentication has been added and I'm going to mark this as required next what I'm going to do is using this option here I'm going to add a new execution now when I add this new execution here I will be selecting here web authent passwordless authenticate so with this we are going to actually set up the passwordless authenticator mechanism now so I'm going to save this now and I'm going to mark this as required now so the flow is first it checks for cookies and then it checks for the Fido authentication now for this web authent password loss authenticator to work we also need to add a username field so I'm going to add a new execution and I'm going to specify here username form and I'm going to say save now what I'm going to do is I'm going to drag the username above such that the authentication flow will first show me the username and then it's going to do the passwordless authentication with this we actually created our authentication flow now what we need to do is we need to bind this particular flow so let's go to binding and for the browser flow what we're going to do is we are going to change this to the fighter flow now we're going to save this and then finally we have to go to this required actions in which we are going to add a web Orton passwordless registration here so I'm gonna say okay and I'm going to make this as one of the default actions so now this has completed all the authentication flow actions that you need right next what we are going to do is we are going to create a particular client so let's go to a client here and create one new client for us so we're going to call this as passwordless client and we are going to give it a root URL key cloak slash this geek look slash app is provided by keyclock.org wherein you can test your local Realms using this particular website here what I'm going to specify is I'm going to provide it my key clock URL which is localhost 8080 and I'm going to specify the real lip and I'm going to specify my client ID so let's go first here and create a client first and with this we have a client here passwordless client and we have the root URL present here and the valid redirect URLs with this I'm going to save this next what I'm going to do is I'm going to go to this test application here I'm going to specify Fido 2 this is the same realm that we had specified here and then I'm going to specify passwordless client here I'm going to save this thing next what we are going to do is we are going to enable user registration so for this let's go to the realm settings and in the login section we are going to enable user registration so here we enable it and we say save with this we set up the entire key cloak with passwordless authentication ready so now next what we're going to do we're going to test this so let's click on sign in here and now it's going to ask me for a username or an email but since we don't have a user we're going to register one so let's say we have a user a with a and a Gmail account a with a username as a and password is a and a confirm password as a with this we are just going to register a dummy user now register now this is the main part now this is the place where we are going to do the security key registration so what we are going to do we are going to click here now here it is showing me the default mechanism that is available that is the browser authentication through which it's going to actually communicate with my machine right now so I'm on a Mac machine right now so that's the reason it is showing me this particular mechanism here but you can change this also you can have either doing it via this device or you could do it via different device now I have a mobile phone also linked to this so that's the reason I can use it via mobile phone if you want to do it via mobile phone what you have to do is first of all use a different device device and scan this particular QR code and then your mobile will able to to this authentication for you now let's go back and let's do it using this device and I'm going to say continue now and I'm going to use my fingerprint right so with this I'm using my fingerprint way to the authentication and here it is actually asking me for a label to specify what type of authenticator I'm using so I'm going to say my laptop now we're actually done with the registration let's look at how we can actually log into this so let's go back to the admin console and first of all go to users view all users and let's log out from the session first so let's log out now refresh this page and I'm going to sign in back again now when I sign in back again I'm going to add the username a and I'm going to say sign in and now it's going to ask me for the security key so when I click on this it immediately asks me for my fingerprint and in this way you're able to now login without providing any kind of password so in this way you can enable passwordless login for particular user now I showed this authentication wherein we are using my laptop itself to do the authentication but you may want to do this using a mobile phone so let's actually do that particular flow so let's go back here I'm going to log out of all sessions first and I'm going to refresh this particular page now I'm going to do sign in and I'm going to register another user so I'm going to register this this with A2 creating another dummy user here now and say register now I am going to register the security key so I'm going to click on register and I'm going to say try another way and I'm going to say a different device now what I'm going to do is I'm going to use my phone here so now I'm going to actually scan the QR code so I'm going to click on this and I'm going to say allow I have to enable Bluetooth and it's asking me to authenticate so with this we actually right now were able to do the authentication using the phone itself so now I'm going to specify this as my phone and now let's actually try to login now I'm going to go to A2 go to sessions log out and let's try to login using A2 again so I'm going to say sign in A2 and sign in with security key so now it's actually telling me that this is the device that is linked so I will get this particular notification here and voila so with this we were able to right now sign in to an application using a passwordless mechanism so we saw how we can set up this passwordless authentication on key cloak we set up the authenticator on my laptop using the fingerprint and then also using the fingerprint on my mobile phone now I keep on exploring such kind of things so make sure you subscribe to this particular Channel and give it a thumbs up for more such videos to come till then take care and see in my next one foreign

Info

Channel: Refactor First

Views: 3,330

Rating: undefined out of 5

Keywords: multi-factor authentication, fido passwordless, fido authentication, fido protocol, fido auth, fido2 authentication, fido2 webauthn, passwordless login, keycloak fido2, keyclock login, keycloak, fido2 passwordless, web authentication, webauthn, passwordless, fido2, passwordless authentication, developer, Programming, Coding, Backend Microservices, Microservices Architecture, Software Development, Backend Development, Web security, login and password

Id: VAP4mc6R1Do

Channel Id: undefined

Length: 11min 28sec (688 seconds)

Published: Thu Apr 06 2023