[keycloak-dev] Async authentication example
Stian Thorgersen
sthorger at redhat.com
Wed Jul 12 03:02:53 EDT 2017
On 11 July 2017 at 17:05, Bill Burke <bburke at redhat.com> wrote:
> Awesome! Comments inline
>
>
> On 7/11/17 8:29 AM, Stian Thorgersen wrote:
> > I gave it a go and implemented an "async" authentication example. It's
> > rather simple what happens is:
> >
> > * User authenticates with username only
> > * Then a "waiting" page is displayed, which is waiting for some external
> > callback. This could be an app or whatever that verifies the user then
> > sends the callback. In the example a CURL command is printed on sysout
> for
> > the server which you can run to "simulate" the callback from the app.
> > * Once the callback is received the user is authenticated without filling
> > in password or any other credentials in the main browser
> >
> > https://github.com/stianst/authenticator-example
> >
> > Check it out here:
> > https://youtu.be/C09BpNIf4v8
> >
> > It's a bit hacky in the way it's implemented:
> >
> > * Using notes for "callback" is a bit strange maybe?
> Why?
>
Dunno, was mainly checking if others thought it was OK.
>
> > * Had to use custom realm resource for callback endpoint. Is this
> strange?
> > * Probably won't work for cross DC, but in 7.2 Hynek has stuff that does
> > that
> So, in 7.2 it will work for cross-DC?
>
The example would need changing for KC 3.2 / 7.2 to support cross-DC. It
would need changing for authentication sessions and the callback should use
the event mechanism that Hynek implemented to update the authentication
session in the correct DC/node. Maybe Marek/Hynek could take a look at that
to make sure it works cross DC?
>
> > * No way to push change to browser, so have to pull every 2 seconds.
> Maybe
> > we could add a simple authentication event feature that uses websockets
> and
> > a small auth js lib to do the job of notification?
> You'd have to have a cross-DC notification bus for something like this
> as only one node in the cluster would have the websocket open. If you
> had Javascript that did the polling, the user wouldn't even see it.
>
I have JS polling at the moment, but I don't like it as it needs a request
every X seconds. Much better to have a way to push when it actually
changes. I don't think it would be to hard to add.
>
> Bill
>
>
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list