|
|
|
# Meeting 2020 09 05
|
|
|
|
|
|
|
|
[[_TOC_]]
|
|
|
|
|
|
|
|
## Keycloak MFA reset discussion
|
|
|
|
|
|
|
|
- Strongly encourage users to keep their TOTP device safe
|
|
|
|
- Encourage users to add a second TOTP device
|
|
|
|
- Keycloak doesn't offer backup tokens so we might have to play support for users
|
|
|
|
- Make issue for adding to theme somewhere to warn users
|
|
|
|
|
|
|
|
- Make new Keycloak flow: https://i.imgur.com/pJEAKOR.png
|
|
|
|
|
|
|
|
## User forgot their MFA flow:
|
|
|
|
|
|
|
|
- For internal users: Send gpg signed mail
|
|
|
|
- For external users: Case-by-case basis
|
|
|
|
|
|
|
|
## Keycloak Testing
|
|
|
|
|
|
|
|
- https://gitlab.archlinux.org/archlinux/infrastructure/-/merge_requests/41
|
|
|
|
|
|
|
|
- After applying merging !41, we also need to add a conditional webauthn form before allowing password reset in case any webauthn devices are registered.
|
|
|
|
|
|
|
|
## Open questions
|
|
|
|
|
|
|
|
- Can we force Staff/External to setup EITHER of TOTP or Webauthn or can we just force one of those?
|
|
|
|
|
|
|
|
## Keycloak issues
|
|
|
|
|
|
|
|
- The keycloak API can not cleanly recursive flow structures (which leads to having to clean it up in postgresql manually) - make a ticket upstream
|
|
|
|
- [Reset credentials Flow does not delete existing OTP](https://issues.redhat.com/browse/KEYCLOAK-14640)
|
|
|
|
- Keycloak allows to remove [all OTP providers](https://issues.redhat.com/browse/KEYCLOAK-14296)
|
|
|
|
- Webauthn can only be selected after clicking "try another" https://issues.redhat.com/browse/KEYCLOAK-14676
|
|
|
|
-
|
|
|
|
|
|
|
|
## Document 2FA
|
|
|
|
|
|
|
|
* Where do we document how Arch Staff should configure there 2FA (and really recommend setting up a backup 2FA device)
|
|
|
|
|
|
|
|
## Fixing Keycloak DB
|
|
|
|
|
|
|
|
delete from authentication_execution e using authentication_flow f where f.built_in=false and e.auth_flow_id=f.id;
|
|
|
|
delete from authentication_execution e using authentication_flow f where f.built_in=false and e.flow_id=f.id;
|
|
|
|
delete from authentication_flow f where f.built_in=false;
|
|
|
|
delete from identity_provider;
|
|
|
|
delete from identity_provider_config;
|
|
|
|
|
|
|
|
## MFA bypass
|
|
|
|
|
|
|
|
### Problem
|
|
|
|
|
|
|
|
The way keycloak works with alternative executions requires to have a fulfilled fallthrough action. Using a NOP execution like "Refresh Browser" at the very end leads to also being interpreted as a valid alternative fulfilling provider and hence can be selected on login right away to bypass inserting TOTP or WebAuth.
|
|
|
|
|
|
|
|
This shortcoming can also be bypassed without having multiple MFA providers configured. The only difference in keycloak by having multiple MFA providers is that keycloak login is showing a link to select one other provider. The alternative fallthrough provider (Refresh Browser) can still be selected even when no link exists, throught a direct URL call, again bypassing MFA.
|
|
|
|
|
|
|
|
### Workaround
|
|
|
|
|
|
|
|
The only thing that currently would properly enforce MFA would be to define it globally as a required execution -- which means MFA will always be enforced to everyone, even arbirary users that are non staff and non "external contributors".
|
|
|
|
|
|
|
|
### References
|
|
|
|
|
|
|
|
https://issues.redhat.com/browse/KEYCLOAK-15414 |
|
|
|
\ No newline at end of file |
