Building a Secure Web Application with Keycloak Authentication and Two-Factor Authentication (TOTP)

 This explanation provides an overview of a Python Flask web application that integrates with Keycloak for user authentication and enhances security with Two-Factor Authentication (TOTP). The explanation covers the Python codebase and the HTML pages used for login, TOTP setup, TOTP verification, and logout. It demonstrates how these components work together to create a secure web application with authentication and security features.

Code Base 1: Flask Web Application with Security

Code Base 1 is a Python script for a Flask web application that focuses on security and authentication. Here's an overview of its key components:

• It imports various Python libraries and modules for web development, security, and authentication.
• The Flask app is configured with settings for session cookies, CORS, and secret keys.
• SQLAlchemy is used to set up and manage an SQLite database for user data.
• The code defines routes and view functions for user authentication, including TOTP-based Two-Factor Authentication.
• It includes utilities for encrypting and decrypting data using AES encryption.
• Content Security Policy (CSP) is configured to enhance the security of the web application.
• Token verification functions are used to validate JSON Web Tokens (JWT) from Keycloak.
• The main block initializes the database, and the Flask app is run with specific settings.

Code Base 2: Login Page

Code Base 2 represents an HTML login page for the web application. Here's a summary:

• The HTML page provides a basic structure with a loading indicator and an error message (initially hidden).
• It initializes Keycloak and handles user authentication and redirection based on TOTP setup status.

Code Base 3: TOTP Setup Page

Code Base 3 is an HTML page used for setting up Two-Factor Authentication (TOTP). Here's what it includes:

• The page displays instructions to scan a QR code with an Authenticator app.
• It presents a QR code image obtained as a base64-encoded PNG.
• A form allows users to enter the TOTP code generated by the app for verification.

Code Base 4: TOTP Verification Page

Code Base 4 is an HTML page for verifying Two-Factor Authentication (TOTP). Here's what it does:

• The page provides a form where users can enter the TOTP code generated by their Authenticator app for verification.

Code Base 5: Logout Page

Code Base 5 represents an HTML logout page for the web application. Here's an overview:

• It contains a logout button for users who are currently logged in.
• Keycloak is initialized and handles the logout process when the button is clicked.

Together, these code bases form a secure web application that allows users to log in with Keycloak, set up Two-Factor Authentication (TOTP), verify TOTP codes, and log out securely. This explanation provides students with an understanding of how these components work together to create a secure web application with authentication and security features.

Install, Configure and Test:

Use Ubuntu 22.04 LTS.

Install 'pip' and other packages for this application ================================= sudo apt install python3-pip pip install requests pip install pyAesCrypt pip install PyJWT pip install flask pip install flask-login pip install flask_sqlalchemy pip install pyotp pip install qrcode[pil] pip install flask-talisman pip install flask-cors

Directories to note or create , /root/ , /root/static/ , /root/templates/ and /etc/systemd/system/

Now download the Zip file from https://drive.google.com/file/d/14wl54NshYiseLgviuI6_SXyS70yo_QNW/view?usp=sharing

The Zip file has ,

After unzipping, read the pdf to create a 'testclient' client in keycloak server.From there only we download the keycloak.json file.

After unzipping the file , place keycloak.json,selfsigned.pem and keycloakqrauth.py in /root/ directory.

*selfsigned.pem is a selfsigned certificate used in https://172.105.253.137:8443/ (Keycloak Server)

Place keycloak.json in /root , /root/static/ and /root/templates/ directory.

Place all html files in /root/templates/ directory.

Place keycloakqrauth service file in /etc/systemd/system/ directory.

Now issue the below linux commands,

sudo systemctl daemon-reload

systemctl start keycloakqrauth.service

systemctl enable keycloakqrauth.service

systemctl status keycloakqrauth.service

After the application starts , you can monitor the logs at 'app.log' file created in /root/ directory.You can use 'tail -f app.log' to monitor live logs within /root/ directory.

!!!Enjoy User web authentication that complies Good security and Data Privacy!!!

Note : If someone lost the phone after Google/Microsoft Authenticator registration, as an admin considering security, login to application server /root/instance/ directory and delete the respective users TOTP secret using the command echo "UPDATE User SET secret=NULL WHERE name='a4982669-c121-4a30-974a-61cc077819bc';" | sqlite3 users.db

where a4982669-c121-4a30-974a-61cc077819bc is the respective user account name.

For Support, support@cybersecuritysolutions.raiseaticket.com