[feature]: TOTP-Based Secure Action Token for Sensitive API Operations

[chornthorn]

Description

Enhance our existing Keycloak extension by adding a TOTP-based secure action token system. This new feature will provide an additional layer of security for sensitive API operations, particularly for payment processes, protecting against unauthorized access and potential security breaches.

Key Requirements

• Integrate TOTP-based authentication for sensitive actions
• Add functionality to generate short-lived, single-use tokens for specific sensitive actions post-TOTP verification
• Implement new REST endpoints in our extension for TOTP verification and action token generation
• Maintain compatibility with existing features

Implementation Steps

• Implement TOTP-integrated token generation and storage mechanism
• Add new REST endpoints for TOTP verification and action token issuance
• Develop TOTP and token validation logic with security checks
• Integrate new features with existing custom authenticators and required actions
• Add configuration options for TOTP features in Keycloak admin console
• Implement error handling for expired or invalid TOTP/tokens

Expected Outcome

An enhanced version of our Keycloak extension that includes a robust, TOTP-based security system for sensitive operations, seamlessly integrated with our existing functionality.

Demo

The following sequence diagram demonstrates how the new TOTP-based secure action token system will integrate with our existing Keycloak extension:

sequenceDiagram
    participant User
    participant MobileApp
    participant API
    participant Database
    participant PaymentProcessor

    User->>MobileApp: Initiates payment
    MobileApp->>User: Prompts for TOTP
    User->>MobileApp: Enters TOTP
    MobileApp->>API: Sends TOTP for verification
    API->>Database: Validates TOTP
    Database-->>API: TOTP valid
    API->>Database: Generates & stores action token
    API-->>MobileApp: Returns action token
    MobileApp->>API: Sends payment request with action token
    API->>Database: Verifies action token
    alt Token Valid
        Database-->>API: Token verified
        API->>Database: Marks token as used
        API->>PaymentProcessor: Processes payment
        PaymentProcessor-->>API: Payment result
        API-->>MobileApp: Payment success
        MobileApp->>User: Displays success message
    else Token Invalid or Expired
        Database-->>API: Token invalid
        API-->>MobileApp: Payment rejected
        MobileApp->>User: Displays error, prompts for re-authentication
    end

Loading