[keycloak-dev] Kerberos progress

Marek Posolda mposolda at redhat.com
Tue Feb 17 04:11:29 EST 2015 

For improving SPIs, I think the point where we need to improve is 
pluggable authentication. People should be able to introduce new 
authentication mechanisms without need to change anything in core code 
inside "services" module. Also with possibility to introduce complex 
authentication flow or simplify existing. For example:

* some admins may want to always authenticate with Kerberos ticket 
(never display login screen).

* Some others allow either kerberos or password.

* Some others may want: (kerberos OR password OR facebook) AND totp.

There might be pluggable authentication interceptor, which has access to 
HTTP request/response and can either redirect to send response back or 
continue to other interceptors in chain. ClientSessionModel will have 
list of required "authentication actions" once it's created and those 
are configurable by user. For example there can be actions configured 
like this:
* kerberos sufficient
* password sufficient
* facebook sufficient
* totp          required

for the last case I mentioned. The 
AuthenticationManager.nextActionAfterAuthentication is triggered only if 
ClientSessionModel contains flags that required authentication 
mechanisms were met. Maybe we would need to improve LoginFormsProvider 
to easily allow people to plug their own login screens.

One example from the usecase mentioned in Kerberos JIRA: Some 
applications authenticate against SecureID. Some applications require 
multi factor authentication. Kerberos + SecureID + OTP that is sent to 
Phone or email address

Marek

On 16.2.2015 22:52, Bill Burke wrote:
>
>
> On 2/16/2015 4:34 PM, Marek Posolda wrote:
>> Still thinking whether it's better to use federation SPI or identity
>> broker SPI for kerberos integration. I am finally much more inclined to
>> Federation SPI ;-)
>>
>
> That's why I brought it up before...I wasn't sure what the right SPI 
> to use would be, or if our SPIs needed to improve and be refactored.  
> Maybe the answer is use both??? *shrug*
>
> I don't know if this makes sense, but a kerberos broker would import 
> users from information from the kerberos ticket.  A Kerberos 
> Federation Provider interacts directly with an LDAP server to provide 
> a more complete integration point???  I don't know...just thinking.  I 
> don't know enough about kerberos or how people want to use it with us 
> to make a decision.
>

More information about the keycloak-dev mailing list