[keycloak-dev] Kerberos progress

[Marek Posolda]

I've already pushed initial version of Kerberos broker. It uses existing 
brokering mechanism from Pedro and allows to login users to KC with 
SPNEGO/Kerberos token. There are still things I need to address (more 
testing + automated testing, Credentials delegation etc).

I have a question about automatic Kerberos login without displaying 
login form. Browsers support this very well - when server returns 
response with status 401, header "WWW-Authenticate: Negotiate" and HTML 
with login page, browsers are able to handle it and:

* In case that user has Kerberos ticket, browser will send it back in 
additional HTTP request with "Authorization: Negotiate <ticket>" . In 
this case login form is not displayed to user

* In case that user hasn't Kerberos ticket, browser just displays HTML 
with login form

You can try https://saml.redhat.com/idp/ to see what I mean.

JBoss Negotiation supports this, so I believe we should address it too.


I have some ideas how to do it:

1) Configure default broker on server side per-realm. If used, login 
request will automatically redirect to configured broker. It may be also 
possible to override default broker per client?

2) Add on/off switch to broker configuration to specify if it should be 
default or not

3) Leverage existing "k_idp_hint" parameter. I am thinking about adding 
option "idp_hint" into AdapterConfig . In case it's configured, adapter 
will use it for attach "k_idp_hint" parameter to login request. This 
will allow per-application configuration and no changes on auth-server 
side, but all applications will need to use it in their adapter 
configuration.

4) Don't configure anything, but hard-code that Kerberos will be always 
used by default if configured. Basically add new method "boolean 
isDefault()" to IDentityProvider interface. It will return "true" for 
Kerberos impl and "false" for other broker types we currently have.

I like (1) or (2) most. Thoughts?

Marek