<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">I wonder if we should address this
together with reducing number of redirects (
<a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/KEYCLOAK-2098">https://issues.jboss.org/browse/KEYCLOAK-2098</a> ) and also support
for "authentication levels" . We can encapsulate all the state of
authentication in ClientSession. If someone refreshes the page, we
will retrieve the ClientSession from the code and the current
state of execution will be retrieved from ClientSession itself. <br>
<br>
ClientSession will also encapsulate all the state of
authentication after authentication is finished. For example there
will be "cookie" if ClientSession was authenticated through
cookie, "password, otp" if clientSession was authenticated through
password + otp or "broker-facebook" if it was authenticated
through Facebook. There will be also timestamps of when each
successful authentication happened. The state will be partially
saved in UserSession, so if clientSession was authenticated
through cookie, it can retrieve from userSession when the "real"
authentication happened etc.<br>
<br>
This will allow us to support periodic re-authentication,
authentication levels and different requirements for
"authentication level" for individual application. For example at
each SSO login or refresh, we will be able to:<br>
- ask user for re-authenticate through OTP every 30 minutes<br>
- ask user for re-authenticate through OTP if he was authenticated
through Facebook broker<br>
- ask user for re-authenticate through OTP if application required
that with some magic parameter (AFAIK both OIDC or SAML has some
parameters for specify authentication levels)<br>
<br>
Marek<br>
<br>
On 20/11/15 08:41, Marek Posolda wrote:<br>
</div>
<blockquote cite="mid:564ECEB7.3020401@redhat.com" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<div class="moz-cite-prefix">You're right, we don't have this
right now. I don't know if it's something we should support
OOTB. The idea of broker login is, that you delegate
authentication to another SSO/social server. Once the second
server say "Ok, user is authenticated", we treat him as
authenticated on Keycloak side too. Isn't it the more proper
option for your usecase to use OTP on the second server side
instead?<br>
<br>
Another option is to implement IdentityProviderMapper and in "<span
style="background-color:#e4e4ff;">updateBrokeredUser" method,
you will redirect user to OTP login. Could you try this?</span>
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
<br>
<br>
<br>
If we want to support another login flow triggered after each
broker login (which I am not convinced TBH), we can either:<br>
<br>
1) Introduce "post-broker-login" flow, which will be
configurable per IdentityProvider. By default, it will be empty
.<br>
<br>
2) Use just one flow, which will be triggered after each broker
login (current "first broker login" flow is triggered only if
federatedIdentity doesn't yet exist in Keycloak). In this case,
the current "first broker login" flow will need to be renamed to
"broker login" and more logic will need to be moved from
IdentityBrokerService to the flow itself. The disadvantage of
this option is, that it may always require another redirect to
trigger authentication flows. But we're trying to reduce the
number of redirects ( <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://issues.jboss.org/browse/KEYCLOAK-2098">https://issues.jboss.org/browse/KEYCLOAK-2098</a>
)<br>
<br>
Marek<br>
<br>
On 20/11/15 00:06, Dane Barentine wrote:<br>
</div>
<blockquote
cite="mid:AAEB56C386CF834FBC05F3055A4247D43524CB31@ALVMBXW02.prod.quest.corp"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi all,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’m trying to add a custom authenticator
and it appears that that there is no way to insert it in the
flow if it’s a brokered IDP login where the linked Keycloak
account already exists.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If it’s a local Keycloak user I can use
the Browser flow and if it’s a new brokered user the First
Broker Login flow will execute. But I don’t see a flow that
would allow me to insert something like OTP after a brokered
login of an existing user.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If I’m just missing it let me know but I
think there needs to be some sort of flow for brokered
logins that runs on both existing and new users. For new
users it would run after the First Broker Login flow. Or
better yet maybe a flow that would allow things such as OTP
to happen after any brokered or local login. That way it
wouldn’t have to be configured in multiple flows.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks<o:p></o:p></p>
<p class="MsoNormal">Dane<o:p></o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-dev mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</body>
</html>