[keycloak-dev] auth spi design requirements and initial steps

[Bill Burke]

On 5/11/2015 9:44 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Monday, 11 May, 2015 3:29:13 PM
>> Subject: [keycloak-dev] auth spi design requirements and initial steps
>>
>> Some generic requirements that will effect the design.
>>
>> 1. Authenticator should be able to be optional per user. i.e. OTP can be
>> optionally set up by the user
>> 2. Multiple authenticators should be resolvable per form. i.e. password,
>> terms and conditions, captcha, and otp could be entered in on one page.
>> 3. Non form based authenticators should be able to bypass any screens if
>> they are the only authenticators. i.e. CLIENT_CERT and KERBEROS.
>> 4. Autheticators need to be able to send challenges after initial
>> request, i.e. Kerberos
>> 5. Clients should be able to specify which Authenticators they require
>> 6. You should be able to attach policies to an Authenticator which
>> allows you to do things like, don't do OTP if you are coming from IP
>> address where you last logged in.
>
> Bypassing OTP shouldn't be based on IP. Instead when you do OTP there should be an option to not ask for OTP next time, which sets a cookie. Reasoning behind this is:
>
> 1. It's how Google does it ;)
> 2. IP address for most users are dynamic, and also often shared
> 3. User should choose not to use OTP next time. This is important as user could be login from a public machine, a friends machine, etc.
>

IP Address can be used to find the user's location.  I noticed that 
World of Warcraft does this.  i.e. I didn't have to enter OTP at home, 
but I did when I traveled (same laptop used).

I forgot another one:

- Authenticators should be able to add headers to responses i.e. to set 
a cookie



-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com