Realm selection modal
by Juraci Paixão Kröhling
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
Once the Keycloak integration PR gets merged, I intend to work on the
registration feature and that will impact the "realm selection modal"
(which was also discussed during the demo).
So, I'd like to ask for ideas on how to implement that. What we know
so far:
- - At first, each user is a tenant. So, the registration page could ask
for:
* an "account name" (serves as the realm name)
* email address (this user will serve as the realm's super user)
* password
As the output, it shows the user a set of credentials. For instance,
a UUID which will serve as "password" for wildfly-sender or other
remote agents.
This registration feature would be in a separate WAR, available
probably on the /registration context.
When logging in, we need to tell Keycloak against which realm to
authenticate this user. So, we have two main choices here:
Option 1
* Allow the user to enter their account name on the first page.
* We then redirect the user to the Keycloak login page, based on the
account name he entered. If the realm name exists, Keycloak shows the
login page. Otherwise, Keycloak complains.
- - or -
Option 2
* We store the user's email and realm on our side
* Before sending the user to the login page, we ask for the user's
email address. We then retrieve the realm for this address and send
the user for authentication.
I like the first option more, because:
* We can change this logic on the future to pre-fill the user's
account based on some other meta-data (sub-domain, for instance).
* Option 2 opens a door to email harvesting (the first step in an
attack reconnaissance phase): just enter a bunch of email address and
wait for a login page to appear and you have a confirmation that this
email exists.
As this is a topic that was discussed on the demo, I'd like to hear
your opinions/suggestions on how to implement this.
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUxmFRAAoJECKM1e+fkPrX8dMIAIiu//9xPvkmztXsjt1bpV6V
SdgkfIk9Yctg4S4bRR2Cg2sigZ3Yq7zH/0CmiC/NCdh9dGYITjCPUmVjmmbEFVIz
e/n+cPLOpnH7j0GGq0yPF7BY/eJGLCC2RkY/OjnxkLBQ8TgoMC2sS5eQ5EJFywz0
EoB/YOJG4riokD9/bhuL5ztjGB/V9GxsoMwUks7YQIquhbGbiZ9aVi0ieAwFFuUh
MwtU5r4BoeVqDpwegkU5KU8Y3Jy20LtDm8kwKezsGNPyqkFeSUPymgn4uCnqlatM
j7cEP7KFlG6zCmoxUZNHnuMfGS+sTF0oezJFanyheb6+idI8leUMrrUo0Oi9/Cs=
=RPxX
-----END PGP SIGNATURE-----