<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 1 October 2015 at 20:49, Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Sorry for late reply.<br>
<span class=""><br>
On 10/1/2015 3:13 AM, Stian Thorgersen wrote:<br>
> * If a user that was logged in using Kerberos logs out the user should<br>
> not just be automatically logged-in again for the current browser<br>
> session. Instead the user should be displayed with a regular<br>
> username/password field, but also with an option to login with Kerberos<br>
<br>
</span>Don't like this idea.<br>
<br>
#1 Users that want to bypass kerberos have to know to logout first so<br>
they can login as a non-kerberos user.<br>
<br>
#2 username/password screen would have to have knowledge that kerberos<br>
is turned on and that the user was logged in via kerberos. I'm don't<br>
think this is possible with the current SPI.<br></blockquote><div><br></div><div>Could we not have a selector or something in the authentication flow that can select which authenticator to use? The selector could even be allowed to prompt the user for input, so we could implement a "Is this you" selector.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<span class=""><br>
> * A variant on the above where if a user has logged-out from Kerberos<br>
> the user would be displayed with a "Is this you?" when login, if the<br>
> user selects yes the Kerberos authenticator would continue, if not the<br>
> regular username/password form would be displayed<br>
<br>
</span>This one might be easy to do with current SPI although not sure if<br>
kerberos plugin sets some session variables that need to be cleared.<br></blockquote><div><br></div><div>I was assuming that this option would also require user to logout first. "Is this you" would only be displayed after a logout.</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<span class=""><br>
<br>
> * Implement account switcher - where a user can login to multiple<br>
> accounts at a time and select which account to use<br>
><br>
<br>
</span>Not sure how this is different than "Is this you?".<br></blockquote><div><br></div><div>"Is this you" would simply prompt the user if the user is the user that previously logged in from that browser.</div><div><br></div><div>Account switcher would allow a user to be signed-in to Keycloak with multiple accounts and provide some mechanism for applications to select which account. Like GMail and others allow you to be logged-in to multiple accounts at a time.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<span class=""><br>
> Other ideas? Points for ideas that requires no hacks in applications ;)<br>
><br>
<br>
</span>idp_hint is a much different animal, isn't it? idp_hint is provided by<br>
the application. skip_auth_mechanism would be something the user has to<br>
know about to type in the URL right?<br></blockquote><div><br></div><div>We should never have added idp_hint in the first place IMO. It leaks authentication semantics into applications and also only works if user is not logged in already. </div><div><br></div><div>skip_auth_mech could be implemented in applications as well, but my same point stands here. It requires applications to be aware of authentication semantics. It seems that what's being proposed here is that admins manually add it to the login URL though, but that's just a horrible idea, period.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<span class="HOEnZb"><font color="#888888"><br>
<br>
<br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" rel="noreferrer" target="_blank">http://bill.burkecentral.com</a><br>
</font></span><div class="HOEnZb"><div class="h5">_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</div></div></blockquote></div><br></div></div>