[keycloak-dev] Identity Broker login flow

Bill Burke bburke at redhat.com
Mon Nov 23 09:07:34 EST 2015 


On 11/23/2015 2:54 AM, Marek Posolda wrote:
> On 20/11/15 18:46, Dane Barentine wrote:
>> I can look at the IdentityProvider Mapper and see. As you said it's a workaround though and now requires me to create a mapper and an authenticator to handle both types of authentication.
>>
>> Regarding this: "Isn't it the more proper option for your usecase to use OTP on the second server side instead?"
>>
>> In a lot of cases it would probably be more proper. But it's not always practical as we don't always control the IDPs. So the use case for OTP is if we are using an IDP that either doesn't support, or the team that is running it doesn't want to support, something like OTP but we still want to require it when logging in through Keycloak. The other use case is when we are making authentication/authorization decisions based on some other sort risk assessment or user required action. This may involve using services or code that we will never be able to plug into an IDP. In those cases a post broker login flow would allow us to add on a consistent layer across all the brokered IDPs regardless of what they can technically support.
> You can use requiredAction SPI after broker authentication. That is
> triggered after each authentication (classic or broker) . See some docs
> here :
> http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html#d4e3420
> .
>
> Maybe using RequiredAction SPI for OTP authentication is even better
> than IdentityProviderMapper (even if it's still seems to be a
> workaround). In your RequiredActionProvider.evaluateTriggers(), you will
> check that user was authenticated through broker and if yes, you put
> some requiredAction like "authenticate_otp" to clientSession. Then in
> requiredActionChallenge() you will redirect to OTP form and in
> processAction() you will check if OTP was successful. The code in
> requiredActionChallenge and processAction methods might be very similar
> to the code in OTPFormAuthenticator. You can likely inspire from here.
>
> If you still have issues, feel free to create JIRA and we will try to
> look at improve things in Keycloak.
>

It would be better to have a post-login flow.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list