[keycloak-dev] auth spi design requirements and initial steps

Raghu Prabhala prabhalar at yahoo.com
Mon May 11 10:24:47 EDT 2015 

Sorry to jump in but Bill just mentioned a real use case within organizations that utilize a risk engine.

If I typically login from say USA and one day I login from different country, the risk engine will kick in and based on a policy defined, it may require me to do additional authentication (otp).

Similarly there could be a set of black listed IP addresses which may necessitate no access at all or in some cases require multiple authentication steps. Bottom line is a risk engine will determine the authentication steps based on a number of factors including a policy defined for each client app on what is acceptable under what conditions.

Sent from my iPhone

> On May 11, 2015, at 10:09 AM, Bill Burke <bburke at redhat.com> wrote:
> 
> 
> 
>> On 5/11/2015 9:44 AM, Stian Thorgersen wrote:
>> 
>> 
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke at redhat.com>
>>> To: keycloak-dev at lists.jboss.org
>>> Sent: Monday, 11 May, 2015 3:29:13 PM
>>> Subject: [keycloak-dev] auth spi design requirements and initial steps
>>> 
>>> Some generic requirements that will effect the design.
>>> 
>>> 1. Authenticator should be able to be optional per user. i.e. OTP can be
>>> optionally set up by the user
>>> 2. Multiple authenticators should be resolvable per form. i.e. password,
>>> terms and conditions, captcha, and otp could be entered in on one page.
>>> 3. Non form based authenticators should be able to bypass any screens if
>>> they are the only authenticators. i.e. CLIENT_CERT and KERBEROS.
>>> 4. Autheticators need to be able to send challenges after initial
>>> request, i.e. Kerberos
>>> 5. Clients should be able to specify which Authenticators they require
>>> 6. You should be able to attach policies to an Authenticator which
>>> allows you to do things like, don't do OTP if you are coming from IP
>>> address where you last logged in.
>> 
>> Bypassing OTP shouldn't be based on IP. Instead when you do OTP there should be an option to not ask for OTP next time, which sets a cookie. Reasoning behind this is:
>> 
>> 1. It's how Google does it ;)
>> 2. IP address for most users are dynamic, and also often shared
>> 3. User should choose not to use OTP next time. This is important as user could be login from a public machine, a friends machine, etc.
> 
> IP Address can be used to find the user's location.  I noticed that 
> World of Warcraft does this.  i.e. I didn't have to enter OTP at home, 
> but I did when I traveled (same laptop used).
> 
> I forgot another one:
> 
> - Authenticators should be able to add headers to responses i.e. to set 
> a cookie
> 
> 
> 
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list