[keycloak-dev] Few Questions on usage
gambol
gambol99 at gmail.com
Mon May 21 09:54:07 EDT 2018
Hi Bill
> - Will the scripting always be global level, or is there any plan to make
> it per client? or perhaps a better question would be will authentication
> flow always be at the realm level.
>
> You can assign a specific authentiction flow to a specific client, but
> we do not have anything like "step up" authentication yet.
Ar cool!! .. I can't see to find where to do this though .. Assuming i had
client x where do to associate the browser flow to a specific client?
> - Is there any way to turn off the internal passwords and force via
> identity provider? .. i guess this is where scripting becomes useful ..
i.e
> if client = y get the provider name and deny if not y etc
>
> Elaborate? Not sure what you mean.Not understanding this one.
So essentially we have two upstream identity providers, we want to switch
off the user setting a local password and logging in via that, forcing them
to go via a identity provider. Though if a script can just do
if (client == "x") {
providerId = something.getProviderId()
if (providerId != "y" && providerId != "z") {
context.failure("some message")
}
}
On Mon, May 21, 2018 at 2:21 PM, Bill Burke <bburke at redhat.com> wrote:
> On Mon, May 21, 2018 at 9:00 AM, gambol <gambol99 at gmail.com> wrote:
> > Hiya
> >
> > Apologizes for the wide range questions .. but figured a number for be
> > useful for the user base.
> >
> > - Using the current scripted authentication in Authentication Flows would
> > it possible to use script to say if clientid == x and user have role x,
> > permitted else not. Also do you have a repo with some examples of
> scripts?
> > similar to https://github.com/auth0/rules
> >
>
> Yes, you could do that. No repo, sorry. This was a community
> contribution and we don't have much more than basic docs.
>
> > - Will the scripting always be global level, or is there any plan to make
> > it per client? or perhaps a better question would be will authentication
> > flow always be at the realm level.
> >
>
> You can assign a specific authentiction flow to a specific client, but
> we do not have anything like "step up" authentication yet.
>
> > - Assuming a realm with multiple identity providers, is there any means
> by
> > which a client and enforce that a use came in via a specific identity
> > provider? or if i come in via provider x they need to use MFA (would this
> > be done with a Post Login Flow on the provider perhaps?).
> >
>
> That might work, but post login flow was implemented mainly to resolve
> import from external provider.
>
> > - Is the any plans to make Groups per client and under the client ui? as
> > for realms which have many disassociated applications but common user
> bases
> > it makes it easier for them to manage.
> >
>
> You are the first to ask, but we should do something similar to what
> was done for roles.
>
> > - Are the any plans to expose metrics (or perhaps they are already
> > exposed)? via jmx, stats, prometheus etc .. around logins, successful,
> > failed etc, any latency measures on identity providers, infinispan /
> > database operations etc
> >
>
> Something that should be scheduled. We have audit logs for all
> different types of events, but I'm pretty sure we don't tabulate any
> of it. We have basic generic metrics that any "application server"
> would provide through Wildfly.
>
> > - Is there any way to turn off the internal passwords and force via
> > identity provider? .. i guess this is where scripting becomes useful ..
> i.e
> > if client = y get the provider name and deny if not y etc
> >
>
> Elaborate? Not sure what you mean.Not understanding this one.
>
>
> --
> Bill Burke
> Red Hat
>
More information about the keycloak-dev
mailing list