TLDR; Per client authentication flows? Client can be configured to
override realm authentication flows.
Background:
I'm specing out how we will replace OSIN (openshift oauth server) with
Keycloak. One issue is that each oauth client in OSIN can specify the
authentication flow they want. Non-browser clients like the 'oc' cmd
line tool want a 401, challenge-based protocol...Web console,
obviously wants HTML. They All OSIN clients use the OAuth
auth-code-grant irregardless if they are non-brwoser or browser
clients. Keycloak assumes this oauth grant type is browser based and
expects non-browser clients to use Resource Credentials grant or
client credential grant. OSIN does not support this and we (keycloak)
have to be backward compatible.
Solution:
I think it would be pretty simple to add the ability to override
authentication flows per client. I don't think this would be a
one-off for OSIN as we could use it to implement other non-browser
input protocols. For example, I wanted to be able to have a
text-based auth flow for command line logins. I think this could be a
way to implement that.
--
Bill Burke
Red Hat