Looks like you haven’t allowed redirections to that site (a security feature to prevent attackers to steal the token by redirecting to their site.)
So in you keycloak you’ll find a redirection URI somewhere (I think in the client settings) and you should check that the value there matches redirect_uri from the request,.
Not too familiar with Keycloak, but you’ll find it.
Idk if its just https://domain or you need the path or only the domain, play with it you’ll figure it out…
To test it you can put a * there, but you need to figure this out, * is insecure.
I’m not entirely sure what you mean by that, I actually do not control the URI for the OIDC redirection URL. for example, when configuring Vivokey as an Identity Provider, it provides the redirection URL.
The redirect URI is then entered into the Custom Application section in the VivoKey app as the Redirect URL. Then the ID and Secret are loaded up into Keycloak.
all endpoint values were configured automatically by https://api.vivokey.com/openid/.well-known/openid-configuration
You can generate a valid OIDC request using the openidconnect.net playground to test out VivoKey OIDC. Create a custom app in the VivoKey app with callback to https://openidconnect.net/callback and fill in the OIDC Client ID and OIDC Client Secret and use https://api.vivokey.com/openid/.well-known/openid-configuration as Discovery Document URL and you should be presented with VivoKey login
FACEPALM 
Changing the OIDC callback URL in the Vivokey app also changes the ID (but not the secret). I had the wrong ID in Keycloak. Once updated, I was just able to validate a request to from Keycloak to Vivokey. Hooray!
Now im moving on to streamlining the keycloak login to always default redirect to OIDC, and then I will begin integrating Google with it.
2 Likes
Hi
Very interesting.
Can Vivokey managers provide a detailed guide to set it up?
What should you do if you have a private non paid google account for private apps, and a separate paid google business account, for work needs?
1 Like
This kind of integration only works for Google Workspace accounts. It will not work for a personal gmail.com account. I have always had a personal custom email account that I have used for work, freelancing, etc. I eventually moved it over to Google Workspace so I could use Gmail, and having drive and everything else was a nice benefit, especially for about $8/month.
If you have a web domain that you use for personal/fun stuff, and are holding on to it, I recommend setting up a single user Google Workspace and migrating over to it. Access to drive, gmail, and everything else Google. Plus, I often use mine to sign in to other websites, using the Sign in with Google button (which I am now forwarding to my VivoKey)
Well, this is pretty sick! I got the whole thing working.
I am now using my VivoKey Spark to cryptographically authenticate to all Google services. Any website that has a sign in with Google button is now accessible through my VivoKey.
I’m stoked to use this more! To my knowledge, nobody has done this before with their Spark (or at least, documented it and posted it) and it majorly opens the door to use my implant for it’s intended purpose!
I will be writing up a detailed how-to guide soon, as well as testing other services than Keycloak (Jumpcloud/Okta/Auth0 developer tiers) This will all be posted in the VivoKey Forum, probably not the Dangerous Things forum we are on now. If you have a VivoKey Spark, you should definitely set up your profile and check out the forum! - https://members.vivokey.com/ (you can use your Vivokey to sign in/register for the forum 
)
22 Likes
This is legendary.
This will be the solution until all sites have provider independed passwordless login, or VivoKey forked every service there is.
Amazing work, I’m super tempted to buy a Spark now… you’ve increased it’s value a LOOOT.
On the other hand, google is now actually tracking you with a microchip…
6 Likes
Okay just thinking loud how to automate that for users.
Couldn’t VivoKey make a “Company” on google where we’re all sperate users? Can it be set up so we “dont see each other”?
Then we could all have a user@vivokey.com email for Sign in with Google… paying our monthly fees for the google account.
Could you migrate existing accounts to that? Can you maybe add existing emails as main email on those Google accounts?
I think this is something that should be evaluated. I ordered a Spark test card, I wanna set this up aswell.
The other option would be making the setup much easier.
I guess your post in the VK forum will be extremely helpful, but I guess with a Docker image and like a setup script that talks to VK for setup it would be a lot easier. Even not very technical people can get Digital Ocean droptlet and run a guided install script.
Since this probably stays the exact same process for the Apex this is probably now one of the top use cases of implants, it should be as easy as possible.
2 Likes
I have been thinking about this, and I do think there’s some value in having a few managed services helping biohackers get more out of their stuff. I am going to be exploring this idea once I write up a tutorial and such.
VivoKey as a company wouldn’t even need to do this, Platforms like Google Workspace, Dropbox, etc usually have “tenant” functions, basically separated out. It would be pretty possible to build out a semi-managed service offering these kind of things for a monthly fee, and the overhead is incredibly minimal.
I am looking into other options than just Keycloak. Plenty of people can set up a digital ocean instance, get a DNS registry, and run a container, but not everybody. For maximum accessibility, I would like to have the option for users to be able to use this stuff without having to know any of the hosting-level skillsets. This is why I am looking into Auth0 and Okta, as these platforms all have free developer tiers, and you won’t have to worry about paying a bill, registering a domain, handling TLS, etc.
I think it’s really fun to have these kind of projects and do selfhosting, and I think the usage of open source software and running services yourself is pivotal to the (bio)hacker mindset. However, on the flip side, it is too easy to hack together some project that lives for a few months, maybe a year. When it comes to the very core of my digital identity, and the authentication/authorization into that space, I want something more infallible; longevity is incredibly important. (also, you don’t want to get locked out of every account in the world because you forgot to renew a domain or something)
Also thinking out loud, the VivoKey Connect API recently added Key/Value services. I haven’t looked at it much, but from my understanding, you could build an entire platform around not just authenticating access, but also encrypting every user’s data with the user’s keys. Obviously this would be pretty custom built, or at the bare minimum, require some wrapping/sidecar development. I could see a Hashicorp Vault-like that encrypts all of your personal data at rest, using your own keys. This would be user-specific, and I believe would also allow a user to completely disconnect a third party service from having access to their data, since it is individually encrypted.
3 Likes
Who’s developed the app for the Vivokey? in all of my testing I have generated a lot of requests, and have documented some really buggy behavior.
For instance, it constantly decides to not accept the chip tap, and instead, opens my profile page (even though I have set the chip settings to do nothing on scan).
It’s getting incredibly annoying, and honestly breaks all the time. The app has some serious issues with interacting with the chip vs the phone just picking it up as a tag.
3 Likes
Darf ich Fragen ob es Android oder IOS ?
Habe die gleichen Probleme mit I Phone XS IOS 14.8 . Habe keine Einstellungen vorgenommen . Alles Werkseinstellung.
Vault? You mean Ansible Vault surely. 
Actually I find it interesting that you can tell a bit about people’s backgrounds by the comparisons that they make.
No, I meant what I said; Hashicorp Vault - https://www.vaultproject.io/
Ansible, and Ansible Vault really do not have any relevancy to what I am referring to.
Man, no sense of humour…
Hashicorp Vault and Ansible Vault provide very similar functionality. The only real difference is that Hashicorp Vault has an api. Nike developed Cerberus with a very similar idea in mind.
My real point was that Vault as a name is unfortunately used by too many people for similar products (Vivokey vault). (Cerberus/Kerberos is another similar problem).
Hello Pips.
I see you are having some issues with an app. And would like more information about your experience with the app on your device.
If you are referring to the iOS VivoKey app.
I created the iOS side VivoKey app.
What do you mean by “generated a lot of requests”?
Do you mean API calls to the server request? or submitted crash or bug requests somewhere (i.e. Apple)?
You have documented some buggy behavior.
Where can we see this documented behavior?
“It decides not to accept the chip tap” Who makes this decision? The app decides to deny a chip scan? Does it cancel as in a time-out? Or is the device decides to reject a NFC scan?
“and instead, opens my profile page” So is it accepting the NFC Scan? What do you mean by “decides not to accept the chip tap”? What takes you to a profile page? The device? The app?
“Breaks all the time” what exactly is breaking, the interface, is it a full on crash, colors? knowing exactly what and when it happens would help to find a possible reason and a solution.
“serious issues with interacting with the chip” Can you specify what are this issues when NFC Scan interaction and when are they occurring?
“vs the phone just picking it up as a tag” How does the phone picks it up as a tag? Does your phone’s VivoKey App identifies the NFC chip as something else than a tag?
I’m very curious to what is your experiences with the app.
Would also like to know what device model you are using the VivoKey App in.
Look forward to your answers.
Ryuuzaki
2 Likes
I moved this to DMs, check my message for my full bug report. Thanks!
Windows Hello aims to eliminate the need for passwords after it is set.
I have never researched it in depth enough, but it has options that make use of the chips.
After a few basic settings, you can see how I am loging in to my Facebook account, or Gmail account. after reading the chip, it confirms to Windows Hello to enter a saved password.
It works on Edge, i do have some paid MS work account.
I didnt manage to set up the sync option yet.
edited:
from superficial reading, it may be possible to enable Windows Hello functions in Chrome.
1 Like
Hello is just a WebAuthN capable platform authenticator.
It doesn’t “enter a saved password”. It actually very nicely does a few things that make it near impossible to clone. As this isn’t an Apex thread I won’t touch on our WebAuthN capabilities, but can you show us how you use your Spark to do so?