<div dir="ltr">That only works if all users have OTP setup. I don't think we can rely on that and we'll have to support both options.</div><div class="gmail_extra"><br><div class="gmail_quote">On 27 June 2016 at 14:24, Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Don't think that is an issue either. We can just write another a different flow for PAM and gather password and OTP on the same page, or the same field like RHT IT does for our login.<span class=""><br>
<br>
On 6/27/16 2:27 AM, Stian Thorgersen wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
My hope was that PAM would support verifying password and OTP as two<br>
completely separate calls without requiring a conversation and state<br>
between them. However, sounds like that's not possible. If libpam4j<br>
doesn't even support OTP it makes matters even worse.<br>
<br>
The sooner we can use SSSD rather than PAM for authentication the<br>
better. Or at least do the OTP verification over SSSD.<br>
<br>
On 24 June 2016 at 19:14, Bruno Oliveira <<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a><br></span><div><div class="h5">
<mailto:<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>>> wrote:<br>
<br>
On 2016-06-24, Bill Burke wrote:<br>
><br>
><br>
> On 6/24/16 9:53 AM, John Dennis wrote:<br>
><br>
> ><br>
> > Let me try to clarify a few things.<br>
> ><br>
> > PAM is designed as a "conversation", there are a few analogues<br>
you could<br>
> > compare it to:<br>
> ><br>
> > * a series of requests/responses<br>
> ><br>
> > * challenge/response authentication (e.g. CRAM)<br>
> ><br>
> > PAM has something equivalent to a session where state is stored<br>
during<br>
> > the "conversation". When you use PAM you establish a context<br>
(session)<br>
> > and iterate. In each iteration the PAM library will ask you for<br>
> > something and you reply. The iteration stops when the library<br>
signals<br>
> > completion.<br>
> ><br>
><br>
> Will the PAM conversation object be able to be serialized<br>
in-between web<br>
> requests? Is it something that can be rebuilt with HTTP session<br>
information?<br>
><br>
> > For simple password auth the iteration is very short. But<br>
depending on<br>
> > how the PAM service is configured you could be prompted for other<br>
> > things. I suspect with Web forms they way you handle this is via<br>
> > redirects until such time as the PAM conversation completes.<br>
> ><br>
><br>
> What do you mean by "prompted"? Are we going to have to<br>
screen-scrape this<br>
> information, or is it a well defined structure?<br>
><br>
> > So my suggestion would be to design this where there is a simple web<br>
> > form prompting for username/password but allow for the fact you<br>
may have<br>
> > to redirect to another page.<br>
> ><br>
><br>
> As I mentioned early, we already have these generic redirection<br>
> capabilities. Login is a "workflow" and you can define nodes in<br>
this<br>
> workflow. The current node in the flow can fail, pass, ignore, or<br>
challenge<br>
> an incoming request.<br>
><br>
> ><br>
> > Does that help?<br>
> ><br>
><br>
> We're getting there! :) My current thoughts are that PAM integration<br>
> should be implemented as a Keycloak Authenticator and user profile<br>
lookup,<br>
> via SSSD, should be done via a User Federation Provider (the new<br>
interface).<br>
<br>
Phew! I think we are on the same page about it.<br>
<br>
><br>
> Bill<br>
<br>
--<br>
<br>
abstractj<br>
PGP: 0x84DC9914<br>
_______________________________________________<br>
keycloak-dev mailing list<br></div></div>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a> <mailto:<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
<br>
<br>
</blockquote>
</blockquote></div><br></div>