Meeting 2020 09 05

• Meeting 2020 09 05
  • Keycloak MFA reset discussion
  • User forgot their MFA flow:
  • Keycloak Testing
  • Open questions
  • Keycloak issues
  • Document 2FA
  • Fixing Keycloak DB
  • MFA bypass
    • Problem
    • Workaround
    • References

Keycloak MFA reset discussion

• Strongly encourage users to keep their TOTP device safe

• Encourage users to add a second TOTP device

• Keycloak doesn't offer backup tokens so we might have to play support for users

• Make issue for adding to theme somewhere to warn users

• Make new Keycloak flow: https://i.imgur.com/pJEAKOR.png

User forgot their MFA flow:

• For internal users: Send gpg signed mail
• For external users: Case-by-case basis

Keycloak Testing

• !41 (merged)

• After applying merging !41 (merged), we also need to add a conditional webauthn form before allowing password reset in case any webauthn devices are registered.

Open questions

• Can we force Staff/External to setup EITHER of TOTP or Webauthn or can we just force one of those?

Keycloak issues

• The keycloak API can not cleanly recursive flow structures (which leads to having to clean it up in postgresql manually) - make a ticket upstream
• Reset credentials Flow does not delete existing OTP
• Keycloak allows to remove all OTP providers
• Webauthn can only be selected after clicking "try another" https://issues.redhat.com/browse/KEYCLOAK-14676

Document 2FA

• Where do we document how Arch Staff should configure there 2FA (and really recommend setting up a backup 2FA device)

Fixing Keycloak DB

delete from authentication_execution e using authentication_flow f where f.built_in=false and e.auth_flow_id=f.id;
delete from authentication_execution e using authentication_flow f where f.built_in=false and e.flow_id=f.id;
delete from authentication_flow f where f.built_in=false;
delete from identity_provider;
delete from identity_provider_config;

MFA bypass

Problem

The way keycloak works with alternative executions requires to have a fulfilled fallthrough action. Using a NOP execution like "Refresh Browser" at the very end leads to also being interpreted as a valid alternative fulfilling provider and hence can be selected on login right away to bypass inserting TOTP or WebAuth.

This shortcoming can also be bypassed without having multiple MFA providers configured. The only difference in keycloak by having multiple MFA providers is that keycloak login is showing a link to select one other provider. The alternative fallthrough provider (Refresh Browser) can still be selected even when no link exists, throught a direct URL call, again bypassing MFA.

Workaround

The only thing that currently would properly enforce MFA would be to define it globally as a required execution -- which means MFA will always be enforced to everyone, even arbirary users that are non staff and non "external contributors".

References

https://issues.redhat.com/browse/KEYCLOAK-15414