[keycloak-dev] new credential SPI

Bill Burke bburke at redhat.com
Tue Aug 23 10:39:37 EDT 2016



On 8/23/16 10:12 AM, Marek Posolda wrote:
> Regarding SPNEGO, I remember we discussed it on ML few years ago and 
> agreed on doing it at UserFederation level. However that was before we 
> had Authentication SPI :-)
>
> So yes, maybe we can refactor now?
>
> What we can do is:
> - Add keytab, kerberos principal and "debug" as properties of 
> SPNEGOAuthenticator.
> - If user is successfuly authenticated by SPNEGOAuthenticator, he will 
> be lookup by UserFederationStorage. If found, then authentication 
> finished with success (so the case when user is in LDAP is still 
> supported). If he is not found, then he is lazily created (typically 
> the usecase for SPNEGO/Kerberos not backed by LDAP)
>
> This shouldn't be too hard to do though.
>
> Regarding multiple handshakes, this is still valid requirement IMO? 
> There are authentication mechanisms like SASL, which count with 
> multiple handshakes. The Keycloak is currently around passwords and 
> OTP, but people may want to add their own credential types or in the 
> future we can add more mechanisms, which can require multiple handshakes?
>
Really depends what's involved with the handshake.  Protocol stuff 
should not be in the storage SPI.  We already do multiple handshakes 
with kerberos in the kerberos authenticator.  SASL is a protocol and 
thus should be handled at the Authenticator level.  Maybe we need a 
status object for isValid, I don't know.

Bill


More information about the keycloak-dev mailing list