[keycloak-dev] Kerberos, login with different user
Marek Posolda
mposolda at redhat.com
Fri Oct 2 02:37:22 EDT 2015
On 01/10/15 20:49, Bill Burke wrote:
> Sorry for late reply.
>
> On 10/1/2015 3:13 AM, Stian Thorgersen wrote:
>> * If a user that was logged in using Kerberos logs out the user should
>> not just be automatically logged-in again for the current browser
>> session. Instead the user should be displayed with a regular
>> username/password field, but also with an option to login with Kerberos
> Don't like this idea.
>
> #1 Users that want to bypass kerberos have to know to logout first so
> they can login as a non-kerberos user.
>
> #2 username/password screen would have to have knowledge that kerberos
> is turned on and that the user was logged in via kerberos. I'm don't
> think this is possible with the current SPI.
>
>> * A variant on the above where if a user has logged-out from Kerberos
>> the user would be displayed with a "Is this you?" when login, if the
>> user selects yes the Kerberos authenticator would continue, if not the
>> regular username/password form would be displayed
> This one might be easy to do with current SPI although not sure if
> kerberos plugin sets some session variables that need to be cleared.
Yes, it can add the gss_delegation_credential note when Kerberos
credential delegation is enabled.
Looks that we may also need the non-persistent cookie added during
logout, so the "Is this you" screen is not displayed for the first time
login?
>
>
>> * Implement account switcher - where a user can login to multiple
>> accounts at a time and select which account to use
>>
> Not sure how this is different than "Is this you?".
>
>> Other ideas? Points for ideas that requires no hacks in applications ;)
>>
> idp_hint is a much different animal, isn't it? idp_hint is provided by
> the application. skip_auth_mechanism would be something the user has to
> know about to type in the URL right?
>
>
>
It's quite the same. Both allow application to send something to
auth-server . Application can use secured URL with the param (
http://localhost/customer-portal/secured?kc_idp_hint=facebook or
http://localhost/customer-portal/secured?skip_auth_mechanism=kerberos ).
Adapter then takes care of resend the parameter to auth-server in
initial AuthorizationEndpoint request. In both cases, application can
either provide the link or user can add the parameters manually.
Marek
More information about the keycloak-dev
mailing list