0

We are trying to arrive at a solution for an enterprise app

Different Users have different Authentication Methods

  • User Type 1 - Password + Captcha
  • User type 2 - Biometric [Not device-based] + Password
  • User type 3 - Biometric [Device-based, ex on Phone] + Password

If we are going for OpenId protocol, IDP ex Keycloak isn't provided out of the box.

Our application has to be available on the web, and mobile [Android, IOS].

Customising the login page of IDP seems very difficult for biometrics [ React-native etc]

My question: Is it good to write a custom login + OIDC provider from scratch or is there any Auth provider that gives the flexibility to have our own login page and still follow OIDC Auth Code grant flow?

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Karthik_Rajendiran
  • 1
  • 1
  • You can keep biometric authentication separate from oidc. Let the server know that biometric authentication is successful and then only accept auth token from the client. Biometric authentication result should be signed by the verifier otherwise the client can fake success result. – defalt Nov 18 '21 at 14:14
  • Are you telling, the Capture of the Request [ Bio /Creds] can be from IDP Custom page and it should call API for authentication and post success it should issue AuthenticationCode , With this Code, we have to have oidc token? – Karthik_Rajendiran Dec 03 '21 at 10:09
  • No. Add biometric authentication in your own login page, if it is successful, then redirect user to the IDP. That is, initialise oauth2 only when your service knows that biometric authentication is successful. – defalt Dec 03 '21 at 11:15
  • Then we should have bespoke Authentication Service , which again rely on IDP's Page – Karthik_Rajendiran Dec 06 '21 at 09:05

0 Answers0