<div dir="ltr">Looks like it's better to keep as is and have user federation provider validate otp credentials as well. The current OTP authenticator delegates to user federation provider, so you'd end up with a separate OTP authenticator to do it with PAM.</div><div class="gmail_extra"><br><div class="gmail_quote">On 19 July 2016 at 00:48, Bruno Oliveira <span dir="ltr"><<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Good morning,<br>
<br>
<br>
Today to authentication against PAM with just simple username/password I<br>
implemented UserFederationProvider and added the proper PAM login to<br>
validCredentials[1]. This covers the most basic scenario.<br>
<br>
Now I would like to cover a more complex scenario like OTP and change<br>
the flow a little bit like this:<br>
<br>
1. User providers her username<br>
2. The next screen asks to provide how many factor our user has(For<br>
example: OTP, password). We just don't know, PAM will tell what's next.<br>
3. We authenticate against it<br>
<br>
To see in practice against FreeIPA server, I just recorded it<br>
for a practical example[2].<br>
<br>
What would be the best approach to implement this flow? I was considering to<br>
move my authentication logic out of SSSD federation provider and create a PAM<br>
authenticator.<br>
<br>
Does it make sense?<br>
<br>
[1] - <a href="http://www.keycloak.org/docs/javadocs/org/keycloak/models/UserFederationProvider.html#validCredentials-org.keycloak.models.RealmModel-org.keycloak.models.UserCredentialModel-" rel="noreferrer" target="_blank">http://www.keycloak.org/docs/javadocs/org/keycloak/models/UserFederationProvider.html#validCredentials-org.keycloak.models.RealmModel-org.keycloak.models.UserCredentialModel-</a><br>
<br>
[2] - <a href="https://asciinema.org/a/atwnfbu0kqfasjl65weyoiz7a" rel="noreferrer" target="_blank">https://asciinema.org/a/atwnfbu0kqfasjl65weyoiz7a</a><br>
<br>
<br>
--<br>
<br>
abstractj<br>
PGP: 0x84DC9914<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</blockquote></div><br></div>