<div dir="ltr">I thought we where just going to do password and OTP in a single field?</div><div class="gmail_extra"><br><div class="gmail_quote">On 18 July 2016 at 23:53, Bruno Oliveira <span dir="ltr">&lt;<a href="mailto:abstractj@redhat.com" target="_blank">abstractj@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Good morning,<br>
<br>
<br>
Today to authentication against PAM with just simple username/password I<br>
implemented UserFederationProvider and added the proper PAM login to<br>
validCredentials[1]. This covers the most basic scenario.<br>
<br>
Now I would like to cover a more complex scenario like OTP and change<br>
the flow a little bit like this:<br>
<br>
1. User providers her username<br>
2. The next screen asks to provide how many factor our user has(For<br>
example: OTP, password). We just don&#39;t know, PAM will tell what&#39;s next.<br>
3. We authenticate against it<br>
<br>
To see in practice against FreeIPA server, I just recorded it<br>
for a practical example[2].<br>
<br>
What would be the best approach to implement this flow? I was considering to<br>
move my authentication logic out of SSSD federation provider and create a PAM<br>
authenticator.<br>
<br>
Does it make sense?<br>
<br>
[1] - <a href="http://www.keycloak.org/docs/javadocs/org/keycloak/models/UserFederationProvider.html#validCredentials-org.keycloak.models.RealmModel-org.keycloak.models.UserCredentialModel-" rel="noreferrer" target="_blank">http://www.keycloak.org/docs/<wbr>javadocs/org/keycloak/models/<wbr>UserFederationProvider.html#<wbr>validCredentials-org.keycloak.<wbr>models.RealmModel-org.<wbr>keycloak.models.<wbr>UserCredentialModel-</a><br>
<br>
[2] - <a href="https://asciinema.org/a/atwnfbu0kqfasjl65weyoiz7a" rel="noreferrer" target="_blank">https://asciinema.org/a/<wbr>atwnfbu0kqfasjl65weyoiz7a</a><br>
<br>
--<br>
<br>
abstractj<br>
PGP: 0x84DC9914<br>
______________________________<wbr>_________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-dev</a><br>
</blockquote></div><br></div>