[keycloak-dev] Kerberos progress

Stian Thorgersen stian at redhat.com
Tue Feb 17 08:01:21 EST 2015 

I reckon we'll have to improve SPIs for KC 2.0 in either case, so it's not so important to get it perfect this time around IMO.

Authentication/brokering/federation SPIs will be the most important to get right for KC 2.0. We need them to not to be to complex, but yet flexible and powerful enough.

----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Bill Burke" <bburke at redhat.com>, keycloak-dev at lists.jboss.org
> Sent: Tuesday, February 17, 2015 10:11:29 AM
> Subject: Re: [keycloak-dev] Kerberos progress
> 
> For improving SPIs, I think the point where we need to improve is
> pluggable authentication. People should be able to introduce new
> authentication mechanisms without need to change anything in core code
> inside "services" module. Also with possibility to introduce complex
> authentication flow or simplify existing. For example:
> 
> * some admins may want to always authenticate with Kerberos ticket
> (never display login screen).
> 
> * Some others allow either kerberos or password.
> 
> * Some others may want: (kerberos OR password OR facebook) AND totp.
> 
> There might be pluggable authentication interceptor, which has access to
> HTTP request/response and can either redirect to send response back or
> continue to other interceptors in chain. ClientSessionModel will have
> list of required "authentication actions" once it's created and those
> are configurable by user. For example there can be actions configured
> like this:
> * kerberos sufficient
> * password sufficient
> * facebook sufficient
> * totp          required
> 
> for the last case I mentioned. The
> AuthenticationManager.nextActionAfterAuthentication is triggered only if
> ClientSessionModel contains flags that required authentication
> mechanisms were met. Maybe we would need to improve LoginFormsProvider
> to easily allow people to plug their own login screens.
> 
> One example from the usecase mentioned in Kerberos JIRA: Some
> applications authenticate against SecureID. Some applications require
> multi factor authentication. Kerberos + SecureID + OTP that is sent to
> Phone or email address
> 
> Marek
> 
> On 16.2.2015 22:52, Bill Burke wrote:
> >
> >
> > On 2/16/2015 4:34 PM, Marek Posolda wrote:
> >> Still thinking whether it's better to use federation SPI or identity
> >> broker SPI for kerberos integration. I am finally much more inclined to
> >> Federation SPI ;-)
> >>
> >
> > That's why I brought it up before...I wasn't sure what the right SPI
> > to use would be, or if our SPIs needed to improve and be refactored.
> > Maybe the answer is use both??? *shrug*
> >
> > I don't know if this makes sense, but a kerberos broker would import
> > users from information from the kerberos ticket.  A Kerberos
> > Federation Provider interacts directly with an LDAP server to provide
> > a more complete integration point???  I don't know...just thinking.  I
> > don't know enough about kerberos or how people want to use it with us
> > to make a decision.
> >
> 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list