Replies: 1 comment 5 replies
-
|
The only question I have is if we want to configure the mapping at the realm level too. Wouldn't be better from a UX perspective if we could avoid admins from manually mapping ACR to authentication flows and resolve the flow based on the LoA set to a conditional authenticator and the LoA-ACR mapping set to the RP? Going a bit further (if it makes sense), I'm also wondering if we want to choose an authentication flow based on the scopes being requested. If so, perhaps we should try to create a mechanism that is generic enough to use any parameter as an input to map to the authentication flow and an ACR. @mposolda Something client policies can do, perhaps? |
Beta Was this translation helpful? Give feedback.
-
|
That is a great point, especially keeping in line with how the LoA feature is implemented, it would probably make sense to have a realm level config as well. I'd be wary about implementing the flow mapping based on claims other than ACR. Since the OIDC spec specifically defines the authentication context class as a way to request a set of authentication methods or procedures, i'd be worried having mappings to other claims could cause confusion when configuring the authentication flow mappings. |
Beta Was this translation helpful? Give feedback.
-
|
Looks like we can start discussing your changes once you have a PR in our queue. Wdyt? |
Beta Was this translation helpful? Give feedback.
-
|
@pedroigor Sounds like a plan! I submitted the PR at the end of last week, here is the link to it #24365. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks, @ben95cd. Please, allow me to look at your changes in more detail early next week. I'll add any comments I have in the PR. |
Beta Was this translation helpful? Give feedback.
-
|
hey @pedroigor just wanted to follow up about this and see if you think you'll be able to take a look at this PR |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Description
Β
I work for MITRE and one of my projects has the requirement for applications to request particular authentication flows when authenticating users and subsequently make authorization decisions based on the flow completed. To accomplish this, we developed a reference implementation to map Authentication Context Class Reference (ACR) values in OIDC authorization requests to authentication flows. We are interested in pushing this code back up to the community for general use.
Β
Keycloak currently provides the ability to use the ACR claim to perform step-up authentication, allowing applications to request stronger authentication in particular situations. However, this is hierarchical and limited to performing additional authentication steps within the same flow. In some cases, an organization may require users to perform entirely different flows based on the resources they are accessing.
Β
Implementation
Β
The implementation has 3 primary pieces:
Β
Β
Mapping ACR Values to Flows
Β
The configuration of this mapping is straight forward. A new section was added to the Advanced Settings section of the Advanced client configuration tab. Administrators can configure mappings from ACR values to authentication flows.
Β
When a request to the OAuth authorization endpoint is received, Keycloak will check if any of the specified ACR values are configured in this mapping, if one is found, it will set the flow ID in a session note indicating that the flow was requested.
Β
Update the Authentication Flow Resolver
Β
The authentication flow resolver will be updated to check the session note indicating a flow was requested. If it was, it will attempt to load that flow and will return the requested flow to the authentication processor. If a flow was not requested by the client, Keycloak will resolve the flow as it currently does, first checking if the client has a flow override, and then defaulting to the realm flow.
Β
Upon completing a flow, Keycloak will set a user session note specifying the flow that was completed.
Β
ACR Protocol Mapper
Β
A new ACR to auth flow protocol mapper will be needed to populate the ACR claim. This mapper will check the user session note for a completed flow ID. It will then search through the ACR to auth flow map configured for the client and determine the first ACR value that matches this flow ID. It will then set the ACR claim in the token to this value.
Β
Interaction with the existing ACR step-up mechanism
Β
Keycloak already implements a mapping from ACR values to level of authentication (LoA) to perform step-up authentication. This alternative mapping seamlessly integrates with the existing implementation.
Β
If no ACR to auth flow mapping is configured on the client, the existing ACR to LoA mapping will work exactly the same. If an ACR to auth flow mapping is configured, Keycloak will first check if the requested ACR values are configured in the auth flow mapping. If there is a match, Keycloak will set the associated flow ID as requested and will route the user to that flow during authentication (and no requested LoA will be set in the session notes).Β If there is not a match, it will fall back to the existing behavior for LoA.
Beta Was this translation helpful? Give feedback.
All reactions