[keycloak-dev] Account Chooser Flo
Stian Thorgersen
sthorger at redhat.com
Mon Oct 5 03:42:14 EDT 2015
As I commented in the original thread I don't think this is a good idea.
Users that have configured their browser has to set a specific domain to
enable Kerberos as well as be logged-in using Kerberos to their desktop.
With that in mind 99% of users will want to log in with Kerberos 99% of the
time. So requiring and extra step in the flow is not nice.
Let's please return this conversation to the original thread though, rather
than start another thread.
On 2 October 2015 at 17:23, Bill Burke <bburke at redhat.com> wrote:
> I would like to take the Account Chooser approach to the Kerberos bypass
> situation. The Flow would be:
>
> 1. Cookie - ALTERNATIVE
> 2. Chooser Flow - ALTERNATIVE
> a. Kerberos - OPTIONAL
> b. Account Chooser - ALTERNATIVE
> c. Forms ALTERNATIVE
> i. Username/Password - REQUIRED
> ii. OTP - OPTIONAL
>
>
> * An "accounts used" cookie needs to be optionally set depending on
> "remember me" switch. This should be a persistent cookie.
> * Account Chooser page is always shown unless the "account used" cookie
> is empty and no ClientSessionModel.getAuthenticatedUser is set.
> * If selected user == current ClientSessionModel.getAuthenticatedUser
> then return SUCCESSFUL
> * If selected user != NULL set ClientSessionModel.getAuthenticatedUser,
> return ATTEMPTED
> * If selected user == NULL clear
> ClientSessionModel.getAuthenticatedUser, return ATTEMPTED
>
> * Username/Password Form Authenticator does not display username,
> registration, and broker links if getAuthenticatedUser is already set
> * An improvement can be made to also perform OTP input on
> Username/Password page if a UserModel is already chosen.
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151005/270d337f/attachment-0001.html
More information about the keycloak-dev
mailing list