KEYCLOAK Magic Login Link for Passwordless Authentication | Niko Köbler (@dasniko)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey friends of keyclock this is desnico and in this video I will show you an easy magic login option by implementing a custom authenticator and key cloak so that your users don't have to remember any more passwords in the future grab yourself a coffee and then we'll start [Music] maintaining good passwords is hard remembering passwords even harder what if your users wouldn't have to remember any more passwords won't have to forget any more passwords wouldn't have to use any more passwords at all even on your websites this might look like this we have your website just enter the user's username or email address depends hitting enter and then you get a message we send you a login link simply going to your mailbox opening the mail which was just been sent clicking to sign in and you're signed in no password even secure as password so how is this supposed to be that a passwordless authentication by a link might be more secure or the same security as authentication with a password well basically we're creating a one-time password with each email we're sending to the user's mailbox and removing the security from the user's knowledge to the user's mailbox let's have a look into the mail again so this is the mail we sent the magic link mail and we have this link click to sign in if we switch to the plain text view of this mail we see the link with all the details the link basically points to the login actions URL and the user has to authenticate and in this email in this link is contained a query parameter like execution as an identifier for a keyclock itself and the client ID of course and there's another query parameter tab ID and the tab ID and the execution together pointing the user to the started session the started authentication session the user just did when he entered his username and there's another clear parameter this then some magic key and the magic key is the one-time password we're basically creating on the fly when the user enters its username and before sending the mail and restoring this magic key in the authentication session of the user and so the authentication session and the magic key is stored together and can only be executed together so this link can only be executed in the same browser where the authentication has been started if an attacker has access to your mailbox and copies the link from your mail and tries to execute the link in another browser window in its own browser window the you the the attacker won't get access to your account because the the link is only valid in the browser window or window where you started the Authentication that's the tap ID and the execution idea and together with the custom created magic key which in our case is just a plain uuid um you get an easier authentication login for the user without the user needing to remember any more passwords so let's have a look into the code the code is basically a key clock authenticator and as every SPI an authenticator also consists of of an authenticator Factory and the authenticator implementation itself so we have the authenticator Factory at first we have the provider id the magic link the customer ID and there's no more special things in this Factory uh just to display text and some some metadata but that's not nothing special and the whole Magic of the magic login happens in the magiclick authenticator which is an implementation of the authenticator interface so we have the authenticator method and in the authenticate method all the magic happens about identifying the users and the users magic link the magic key we're creating and you know finding the stored information we're starting by looking into the authentication session into the notes of the authentication sessions if you find a key in this session and if we find a key then the magic link already has been created that's the the key in the session and if not we'll create the magic link and send the magic link that's what's happened uh in the bottom of this method and if we find a find a session key if the session key is not null then we try to compare the stored um session key with the one of the the link the page was uh was requested and that's um the query parameter and the magic key query parameter we put into the link and if it fits then the user is logged in then we call a success otherwise we call failure and that's all what we have to do and of course we have to send the magic link and to store the magic link that's what happens in the send magic link a method we're just creating a year ID in our case the key itself we can do this through the key clock module utils helper class and then we're storing the created magic key in the authentication session the notes of the authentication session which is valid throughout the whole authentication process and then we're getting the email template provider being able to send an email and this is here where some other magic happens with the key clock UI Builder and we're building a URI from the current execution so this is where the execution and the tab ID query parameters came into the link with this method called get fresh execution URL from the context from the authentication context and together with this execution URL and our custom magic key query parameter we get the whole link like we have here in our mail with the magic key we have the tab ID the client and the execution query parameter and using this get refresh execution URL um binds the link to the current started authentication session which is only valid in the current browser so this is why an attacker can't can't reuse this URL to authenticate himself into a completely different browser this is not possible with this attempt and then by last but not least we're creating the mail and sending the mail to to the user itself you can find all this code I don't want to go to this all this code in detail you find this code like all my examples in my key clock extensions demo repository on GitHub I put the link down in the description of this video of course so we can find it there and yeah yeah that's what it basically is it's creating a link with a custom key storing it in the authentication session notes and comparing it when the user clicks on the link requesting the page if it's the same session and comparing the query parameter with set a start session key and then if yes the user is authenticated and how does this look like in the keyclock authentication flow let's go back to the browser and go to our Administration UI just do a quick reload of the admin u i are signing in again and then go to the authentication in the menu and I already of course created the match again magic link flow and yeah basically it's a copy of the default browser flow removed some stuff we don't need and we have this magic link oh this was not intended um so again right um the magic link mail subflow where there is a username form no more username password form anymore that's what the default is but we don't want to have the password form we just use the the regular username form without the password that's uh that one is built in and we have the magic click authenticator which is our custom authenticator we just created and deployed to the keyclock server like all our providers setting it required and yeah that's basically it that's the the browser flow we have to create and then we have to bind the flow to the browser flow that it's been executed in the browser when the user wants to sign in so that's um sign in username we made your login link back to our mailbox and we have the newly created magic link again there's the link with another execution ID and now the tab ID of course and a new created magic key and if we click on the link a new tab will be opened in the same browser and we can log in with this link so um let's try to use this created Link in in a different browser so let's go here the new mail plain text copy uh copy here it is and then let's open a new private window in the same browser entering executing the mail at the link and then we will see in an error message and translate it to English oh no image error sorry it has an error and key clock can't find any cookie to identify the session and yeah you can't use this link to log in into Keith look that's basically all um being you have to have to do of course um that's not the only possibility to implement a magic login link you can also create Magic login links for execution in in different browsers but this means a bit more um implementation bit more writing of code because you have to create some some custom action tokens and create a link with these action tokens um giving a time frame or an expiration time to this links and how often these links may be executed and all this stuff but that's a different use case both use cases are valid depending on your requirements and I showed you a simple option how to use a magic log link with this only which is only valid in the browser you started the authentication session of course this is not the only option how to implement a magic login link there are examples available in the community where you can also create Magic login links which are valid um in in different browsers so you can start an authentication in one browser letting send you the mail to your smartphone for example and hitting the link on your smartphone and being authenticated on your smartphone but this depends this needs a further implementation of other interfaces for example the the action token interface you have to create custom action tokens um Define some some time out some time to lifts for these tokens and how often these tokens may be reused and all this stuff and yeah it depends on your use case what you want to achieve do you want to have some very high secure environment where the link is only valid in the same browser where the authentication has been started or you want to have a more convenient method how to authenticate the users how they can interact with the created links this depends on your use case but keep in mind if the link is valid in every browser not only in the browser where you started the authentication session then attacker who is access to your mails can grab the link and execute the link and maybe authenticate it as your user so hopefully um you like this video and if yes give me some thumbs up don't forget to subscribe to my channel here on YouTube so that you don't miss any other of my future videos and hope to see you again bye bye

Info

Channel: Niko Köbler (@dasniko) - Keycloak Expert

Views: 5,442

Rating: undefined out of 5

Keywords: keycloak, authentication, auth, oidc, iam, sso, java

Id: 2xN3KOK5Je0

Channel Id: undefined

Length: 14min 12sec (852 seconds)

Published: Tue Mar 28 2023