[keycloak-dev] Support for conditional AuthenticationFlowExecution.

[Thomas Darimont]

Hello group,


this is my first post on this mailinglist and I want to say thank you for
this awesome project!

I had a look at many IDM / SSO solutions before and Keycloak provided the
best out-of-the box

experience so far!


I posted the following in the JIRA initially but Stian Thorgersen asked me
to post this

on the mailing list as well.


Scenario:

Support for conditional AuthenticationFlowExecution.


Often some authentication flow steps should only be executed under certain
conditions,

e.g. somtimes a TOTP based auth step is only required of requests come with
a

certain request header value.

It would be cool if one could configure a condition on the
AuthenticationFlowExecution

(if I'm not mistaken) that if evaluated to true would execute or skip a
particular authentication step.

This could perhaps be configured via the admin console in the
Authentication -> Flows tab.

Conditions could perhaps be simple JavaScript expressions that could be
evaluated via the built-in JavaScript ScriptEngine.

For this it would be useful to provide a set of "standard" functions that
can be called from the expressions (perhaps based on a whitelist).

Admins should also be able to define their custom functions.

The context could provide access to the current http request, current user,
the requested client application and perhaps the keycloak configuration.


The issue: https://issues.jboss.org/browse/KEYCLOAK-2108
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151123/2073c236/attachment.html