Authentication Extensions

Authentication SPI

Red Hat Single Sign-On (RH-SSO) provides an Authentication SPI that can be used to implement custom authentication mechanisms. In this example, we will demonstrate a simple two-factor authentication (2FA) flow using RH-SSO and a Telegram bot.

The custom authenticator consists of three components:

Authenticator: Prompts the user to enter the 2FA code provided via Telegram.
Required Action: Provides an enrollment process if the user’s Telegram ID is not present in their profile.
Telegram Service: Handles communication with the external Telegram API.

Configuring Plugins and Authentication Flows

The plugin implementation telegram-authentication-spi can be deployed in several ways:

Extending the RH-SSO image.
Mounting a volume with the plugin file.
Using a configmap (recommended only for metadata).
Copying the plugin into the pod (ephemeral).
Other methods.

Steps to configure the authentication flow:

Open the RH-SSO administration web console.
Navigate to Authentication → Flows.
Select Browser in the drop-down list and click Copy.

Provide a name for the new browser flow.

Click Actions → Add execution. Select Browser With Telegram Browser - Conditional OTP.

Choose Telegram Authentication and click Save.

Configure the execution:
Browser With Telegram Browser - Conditional OTP → REQUIRED
OTP Form → DISABLED
Telegram Authentication → REQUIRED

Click Actions → Config on Telegram Authentication. Set an alias and click Save.

Navigate to Authentication → Required Actions → Register.
Select Telegram ID in the drop-down list. Click Ok.

Bind the new flow:
Navigate to Authentication → Bindings.
Select Browser with Telegram in the Browser Flow drop-down list.
Click Save.

Two-Factor Authentication with Telegram

Open a new private/incognito browser session.
Navigate to the Quarkus Petclinic application. You will be redirected to the RH-SSO login page.
Log in as user angel.