<html><body><div>I don't like this approach if the <span style="line-height: 1.5;">"Account Chooser" page is only </span>configurable <span style="line-height: 1.5;">per realm.</span></div><div><span style="line-height: 1.5;">Because, </span><span style="line-height: 1.5;">I think it is a bit annoying if you always have to go over the </span><span style="line-height: 1.5;">"</span><span style="font-family: 'Helvetica Neue', Helvetica, sans-serif; line-height: 22.4px; white-space: pre-wrap;">Account Chooser" page.</span></div><div><span style="font-family: 'Helvetica Neue', Helvetica, sans-serif; line-height: 22.4px; white-space: pre-wrap;">99% of all uses want to log in with their kerberos credentials, there are only a few people which want to switch their account.</span></div><div><br></div><div>But I think your approach is good, if you can enable the "Account Chooser" page per client and not only per realm. </div><div><br></div><div>Am 02. Oktober 2015 um 16:31 schrieb Bill Burke <bburke@redhat.com>:<br><br></div><div><blockquote type="cite"><div class="msg-quote"><div class="_stretch"><span class="body-text-content"><span class="body-text-content"><br><br>On 10/2/2015 5:26 AM, Stian Thorgersen wrote:<br></span></span><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">On 1 October 2015 at 20:49, Bill Burke <bburke@redhat.com</blockquote><blockquote class="quoted-plain-text" type="cite"><mailto:bburke@redhat.com>> wrote:</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">Sorry for late reply.</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">On 10/1/2015 3:13 AM, Stian Thorgersen wrote:</blockquote><blockquote class="quoted-plain-text" type="cite">> * If a user that was logged in using Kerberos logs out the user should</blockquote><blockquote class="quoted-plain-text" type="cite">> not just be automatically logged-in again for the current browser</blockquote><blockquote class="quoted-plain-text" type="cite">> session. Instead the user should be displayed with a regular</blockquote><blockquote class="quoted-plain-text" type="cite">> username/password field, but also with an option to login with Kerberos</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">Don't like this idea.</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">#1 Users that want to bypass kerberos have to know to logout first so</blockquote><blockquote class="quoted-plain-text" type="cite">they can login as a non-kerberos user.</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">#2 username/password screen would have to have knowledge that kerberos</blockquote><blockquote class="quoted-plain-text" type="cite">is turned on and that the user was logged in via kerberos. I'm don't</blockquote><blockquote class="quoted-plain-text" type="cite">think this is possible with the current SPI.</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">Could we not have a selector or something in the authentication flow</blockquote><blockquote class="quoted-plain-text" type="cite">that can select which authenticator to use? The selector could even be</blockquote><blockquote class="quoted-plain-text" type="cite">allowed to prompt the user for input, so we could implement a "Is this</blockquote><blockquote class="quoted-plain-text" type="cite">you" selector.</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">> * A variant on the above where if a user has logged-out from Kerberos</blockquote><blockquote class="quoted-plain-text" type="cite">> the user would be displayed with a "Is this you?" when login, if the</blockquote><blockquote class="quoted-plain-text" type="cite">> user selects yes the Kerberos authenticator would continue, if not the</blockquote><blockquote class="quoted-plain-text" type="cite">> regular username/password form would be displayed</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">This one might be easy to do with current SPI although not sure if</blockquote><blockquote class="quoted-plain-text" type="cite">kerberos plugin sets some session variables that need to be cleared.</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">I was assuming that this option would also require user to logout first.</blockquote><blockquote class="quoted-plain-text" type="cite">"Is this you" would only be displayed after a logout.</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><span class="body-text-content"><span class="body-text-content"><br>I don't like this "logout required" thing and the logout cookie. What <br>is the big deal about having a screen "You are already logged in via <br>Kerberos. Do you want to continue? Or log in as a different user?" <br>This would be something that is optionally turned on and shown after the <br>Kerberos/SPNEGO handshake.<br><br><br></span></span><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">> * Implement account switcher - where a user can login to multiple</blockquote><blockquote class="quoted-plain-text" type="cite">> accounts at a time and select which account to use</blockquote><blockquote class="quoted-plain-text" type="cite">></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">Not sure how this is different than "Is this you?".</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">"Is this you" would simply prompt the user if the user is the user that</blockquote><blockquote class="quoted-plain-text" type="cite">previously logged in from that browser.</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">Account switcher would allow a user to be signed-in to Keycloak with</blockquote><blockquote class="quoted-plain-text" type="cite">multiple accounts and provide some mechanism for applications to select</blockquote><blockquote class="quoted-plain-text" type="cite">which account. Like GMail and others allow you to be logged-in to</blockquote><blockquote class="quoted-plain-text" type="cite">multiple accounts at a time.</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><span class="body-text-content"><span class="body-text-content"><br><br>Again, this is very similar to the "Is this you?". The steps would be:<br><br>1. SPNEGO handshake successful<br>2. Show account switcher page with kerberos user as only choice.<br><br>The only need for a logout persistent cookie is to remember successful <br>logins.<br><br>I would like this approach the best.<br><br><br></span></span><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">> Other ideas? Points for ideas that requires no hacks in applications ;)</blockquote><blockquote class="quoted-plain-text" type="cite">></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">idp_hint is a much different animal, isn't it? idp_hint is provided by</blockquote><blockquote class="quoted-plain-text" type="cite">the application. skip_auth_mechanism would be something the user has to</blockquote><blockquote class="quoted-plain-text" type="cite">know about to type in the URL right?</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">We should never have added idp_hint in the first place IMO. It leaks</blockquote><blockquote class="quoted-plain-text" type="cite">authentication semantics into applications and also only works if user</blockquote><blockquote class="quoted-plain-text" type="cite">is not logged in already.</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><span class="body-text-content"><span class="body-text-content"><br>idp_hint is a good thing. If an app integrates with Facebook, they'll <br>need to force the user to login via Facebook so they can obtain a <br>Facebook token.<br><br></span></span><blockquote class="quoted-plain-text" type="cite">skip_auth_mech could be implemented in applications as well</blockquote><blockquote class="quoted-plain-text" type="cite">but my same</blockquote><blockquote class="quoted-plain-text" type="cite">point stands here. It requires applications to be aware of</blockquote><blockquote class="quoted-plain-text" type="cite">authentication semantics. It seems that what's being proposed here is</blockquote><blockquote class="quoted-plain-text" type="cite">that admins manually add it to the login URL though, but that's just a</blockquote><blockquote class="quoted-plain-text" type="cite">horrible idea, period.</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><span class="body-text-content"><br>skip_auth_mech is the opposite of auth_mechs_required. Something that I <br>believe SAML has.<br><br>-- <br>Bill Burke<br>JBoss, a division of Red Hat<br><a href="http://bill.burkecentral.com" data-mce-href="http://bill.burkecentral.com">http://bill.burkecentral.com</a><br>_______________________________________________<br>keycloak-dev mailing list<br><a href="mailto:keycloak-dev@lists.jboss.org" data-mce-href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br><a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br></span></div></div></blockquote></div></body></html>