[keycloak-dev] Kerberos, login with different user

Stian Thorgersen sthorger at redhat.com
Thu Oct 1 03:13:59 EDT 2015


I don't like the query param approach as it requires somehow adding the
query param to specify what authenticators to skip. This would have to be
added to applications themselves and with Keycloak the whole idea is that
applications shouldn't have to worry about authentication semantics.

We need a generic mechanism to be able to skip any authenticators that
automatically log in a user. Currently this is only Kerberos, but in the
future we could add more, including an option to automatically route to
external IdPs.

Ignoring implementation semantics for now, but taking Kerberos as the
example authenticator I can see some options (in the example below replace
'Kerberos' with any other authentication method that can automatically
login a user):

* If a user that was logged in using Kerberos logs out the user should not
just be automatically logged-in again for the current browser session.
Instead the user should be displayed with a regular username/password
field, but also with an option to login with Kerberos
* A variant on the above where if a user has logged-out from Kerberos the
user would be displayed with a "Is this you?" when login, if the user
selects yes the Kerberos authenticator would continue, if not the regular
username/password form would be displayed
* Implement account switcher - where a user can login to multiple accounts
at a time and select which account to use

Other ideas? Points for ideas that requires no hacks in applications ;)

On 30 September 2015 at 15:39, Michael Gerber <gerbermichi at me.com> wrote:

> Hi all,
>
> I would like to use kerberos as my standard authentication mechanism, but
> I also want to have the possibility to log in as an admin over the login
> form.
> Therefore, I want to skip the kerberos authenticator after a successful
> logout.
> https://issues.jboss.org/browse/KEYCLOAK-1727
>
> How would you solve this problem?
>
> I've got two solutions, one sets a logout session cookie after a logout
> and then skips the kerberos authentication and another which allows users
> to skip any kind of alternative authenticators with a query parameter.
>
> Logout Session Cookie
>
> https://github.com/gerbermichi/keycloak/commit/f804d9e13573cb666cf6d2eff1407978c9e5e854
>
> Query Param
>
> https://github.com/gerbermichi/keycloak/commit/abd3bd87f5aa4c28914da677653268c0f44fe6cc
>
> Michael
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151001/007637ed/attachment.html 


More information about the keycloak-dev mailing list