RHBK NeuroFace Biometric Flow
Red Hat Build of Keycloak with biometric facial recognition authentication via NeuroFace
RHBK 26.0
Keycloak SPI
Facial 2FA
OpenShift
Red Hat Build of Keycloak with biometric facial recognition authentication via NeuroFace
Quick demo of the delegated creation and 2FA facial recognition flow with RHBK and NeuroFace
Full walkthrough of the NeuroFace webapp: training, recognition, and model configuration
Admin creates users in Keycloak. On first login, users enroll their face via webcam β 3 to 5 captures from different angles sent to NeuroFace for model training.
After password login, users verify their identity through facial recognition. The SPI calls NeuroFace /api/recognize and matches against the enrolled profile.
One helm install deploys both RHBK and NeuroFace in the same namespace with pre-configured realm, clients, flows, and roles.
βββββββββββββββββββββββββββββββββββ ββββββββββββββββββββββββββββββββββββ β RHBK (Keycloak 26 - UBI9) β β NeuroFace Backend (FastAPI) β β β β β β βββββββββββββββββββββββββββββ β β POST /api/images β enrollmentβ β β Biometric SPI (JAR) β β β POST /api/train β training β β β ββββΌββββββΌββΊPOST /api/recognize β verify β β β β’ BiometricAuthenticator β β β GET /api/health β health β β β (2FA facial login) β β β GET /api/labels β labels β β β β β β β β β β’ BiometricEnrollment β β ββββββββββββββββββββββββββββββββββββ β β (delegated registration)β β β βββββββββββββββββββββββββββββ β ββββββββββββββββββββββββββββββββββββ β β β NeuroFace Frontend (Angular 17) β β Realm: neuroface β β β Protected by OIDC client β β Client: neuroface-app β β "neuroface-app" β β Flow: biometric browser β ββββββββββββββββββββββββββββββββββββ β Flow: biometric registration β βββββββββββββββββββββββββββββββββββ
NeuroFace is a facial recognition webapp built with FastAPI and Angular 17, containerized with Red Hat UBI9 certified images. It provides the ML backend that powers the biometric authentication.
| Endpoint | Method | Usage |
|---|---|---|
/api/health | GET | Health check before biometric operations |
/api/images | POST | Upload facial images during enrollment (multipart) |
/api/train | POST | Train the recognition model after enrollment |
/api/recognize | POST | Verify facial identity during 2FA login |
/api/labels | GET | List registered biometric labels |
KC Admin βββΊ Creates user βββΊ Assigns Required Action "Biometric Enrollment"
β
βΌ
User logs in with
temporary credentials
β
βΌ
Webcam: captures 3-5 images
from different angles
β
βΌ
SPI β POST /api/images (label=username)
SPI β POST /api/train
β
βΌ
biometric_enrolled = true
User joins group "biometric-enrolled"
User βββΊ Login page βββΊ username + password
β
βΌ
Biometric verification (2FA)
Webcam captures facial image
β
βΌ
SPI β POST /api/recognize { "image": base64 }
β
βΌ
label == username AND
confidence >= threshold?
β β
YES NO
βΌ βΌ
Access Access
granted denied
helm repo add rhbk-neuroface https://maximilianopizarro.github.io/rhbk-biometric-flow/
helm repo update
helm install rhbk-neuroface rhbk-neuroface/rhbk-neuroface \
-n neuroface --create-namespace \
--set admin.password=changemegit clone https://github.com/maximilianoPizarro/rhbk-biometric-flow.git
cd rhbk-biometric-flow
helm dependency update helm/rhbk-neuroface
helm install rhbk-neuroface ./helm/rhbk-neuroface \
-n neuroface --create-namespace \
--set admin.password=changeme| Parameter | Default | Description |
|---|---|---|
rhbk.image.repository | registry.redhat.io/rhbk/keycloak-rhel9 | RHBK image |
rhbk.image.tag | 26.0 | Image tag |
rhbk.replicas | 1 | Replicas |
rhbk.resources.limits.cpu | 1 | CPU limit |
rhbk.resources.limits.memory | 1Gi | Memory limit |
| Parameter | Default | Description |
|---|---|---|
admin.username | admin | Bootstrap admin user |
admin.password | admin | Bootstrap admin password |
realm.name | neuroface | Realm name |
realm.displayName | NeuroFace Biometric | Display name |
| Parameter | Default | Description |
|---|---|---|
biometric.confidenceThreshold | 65.0 | Minimum confidence (0-100) |
biometric.maxEnrollmentImages | 5 | Max enrollment images |
biometric.webcamWidth | 640 | Webcam width (px) |
biometric.webcamHeight | 480 | Webcam height (px) |
| Parameter | Default | Description |
|---|---|---|
spi.image.repository | quay.io/maximilianopizarro/rhbk-neuroface-spi | SPI image |
spi.image.tag | latest | Tag |
| Parameter | Default | Description |
|---|---|---|
neuroface.enabled | true | Deploy NeuroFace subchart |
neuroface.backend.image.tag | latest | Backend image tag |
neuroface.backend.replicas | 1 | Backend replicas |
neuroface.backend.aiModel | lbph | AI model (lbph / dlib) |
neuroface.frontend.image.tag | latest | Frontend image tag |
neuroface.frontend.replicas | 1 | Frontend replicas |
neuroface.chat.enabled | true | Enable AI chat feature |
neuroface.persistence.enabled | true | Enable persistent storage |
neuroface.persistence.size | 1Gi | PVC size |
neuroface.route.enabled | true | Create NeuroFace Route |
| Parameter | Default | Description |
|---|---|---|
route.enabled | true | Create RHBK OpenShift Route |
route.tls.termination | edge | TLS termination |
service.type | ClusterIP | Service type |
service.httpPort | 8080 | HTTP port |
service.port | 8443 | HTTPS port |
| Component | Details |
|---|---|
| Clients | neuroface-app (public, PKCE S256), neuroface-backend (bearer-only) |
| Browser Flow | biometric browser β cookie OR (password + facial 2FA) |
| Registration Flow | biometric registration β delegated creation |
| Required Action | biometric-enrollment β facial enrollment on first login |
| Roles | biometric-user, biometric-admin |
| Group | biometric-enrolled β auto-assigned after enrollment |
| Provider | Type | ID | Description |
|---|---|---|---|
| BiometricAuthenticator | Authenticator | biometric-authenticator | 2FA via NeuroFace /api/recognize |
| BiometricEnrollment | Required Action | biometric-enrollment | Multi-image facial enrollment |
| NeuroFaceClient | Internal | β | HTTP client for NeuroFace REST API |