Authentication

Authentication SPI

Red Hat Single Sign-On provides an authentication SPI that can be used to create new authentication mechanisms. In this example, we will demonstrate a simple implementation of two-factor authentication that uses Red Hat Single Sign-On and a Telegram bot.

The custom authenticator consists of three components:

Authenticator: The component that requires the user to enter the two-factor authentication code provided via Telegram.
A Required Action: The component that provides an enrollment process to the user. If the user’s Telegram ID is not present in their user profile during the authentication flow, the enrollment process is triggered as required.
The Telegram Service: The component that handles communication with the external Telegram API.

Configuring the plugin and flows

The plugin implementation is telegram-authentication-spi and it can be deployed in several different ways:

By extending the Red Hat Single Sign-On image.
By mounting a volume with the file.
By using a configmap (although this is not recommended as the configmap has a limited size and should be used mainly for storing metadata).
By copying it into the pod (which is ephemeral).
And others ways as well.

the previous step from chapter 2.1.1 workshop is a prerequisite to continue with the setup.

After deployment, follow the steps below:

Open a browser and log in to the Red Hat Single Sign-On administration web console.
Navigate to Authentication, then Flows, select Browser in the drop-down list, and click Copy.

Set the desired name for the new browser authentication flow.

Select Actions, then Add execution of the Browser With Telegram Browser - Conditional OTP.

Select Telegram Authentication. Click Save.

Set Browser With Telegram Browser - Conditional OTP as REQURIED, OTP Form as DISABLED and Telegram Authentication as REQUIRED.

Click Actions of the Telegram Authentication and select Config.

Set an alias and click Save.

Navigate to Authentication → Required Actions. Click Register.

Select Telegram ID in the drop-down list. Click Ok.

Go to Authentication → Bindings. In the Browser Flow drop-down list, select Browser with Telegram. Click Save.

Telegram two-factor authentication with authentication SPI

Open a new private or incognito browser window.
Navigate to the context root of the Quarkus Petclinic application. The request will be redirected to the Red Hat Single Sign-On login page.
Log in as the user angel.

Since this is the first time the user angel logs in since the two-factor authentication has been implemented, the 2FA enrollment process is presented to the user.

Open Telegram and send the enrollment code to the Telegram bot. The bot will respond with the enrollment secure code, submit that secure code.

After completing the enrollment process, the user will be successfully logged in to the application.

The enrollment process (the required action SPI) updates the user profile by adding the Telegram attributes to it. To check it:

Open a browser window and log in to the Red Hat Single Sign-On administration web console.
Navigate to Demo realm, then Users, click View all users and select the angel user ID.

Click Attributes.

We will see the newly added telegram_id and telegram_username attributes of the angel user.

The next login attempts for the same user will require the 2FA code. Let’s try it.

Open a new incognito browser session.
Browse to the context root of the Quarkus Petclinic application. The request will be redirected to the Red Hat Single Sign-On login page.
Login as the user angel. You will be asked for the 2FA code.

The 2FA code will be sent to you via the Telegram bot.

Submit the 2FA code.

You will be logged in to the application successfully.