On 8/23/16 10:12 AM, Marek Posolda wrote:
Regarding SPNEGO, I remember we discussed it on ML few years ago and
agreed on doing it at UserFederation level. However that was before we
had Authentication SPI :-)
So yes, maybe we can refactor now?
What we can do is:
- Add keytab, kerberos principal and "debug" as properties of
SPNEGOAuthenticator.
- If user is successfuly authenticated by SPNEGOAuthenticator, he will
be lookup by UserFederationStorage. If found, then authentication
finished with success (so the case when user is in LDAP is still
supported). If he is not found, then he is lazily created (typically
the usecase for SPNEGO/Kerberos not backed by LDAP)
This shouldn't be too hard to do though.
Regarding multiple handshakes, this is still valid requirement IMO?
There are authentication mechanisms like SASL, which count with
multiple handshakes. The Keycloak is currently around passwords and
OTP, but people may want to add their own credential types or in the
future we can add more mechanisms, which can require multiple handshakes?
Really depends what's involved with the handshake. Protocol stuff
should not be in the storage SPI. We already do multiple handshakes
with kerberos in the kerberos authenticator. SASL is a protocol and
thus should be handled at the Authenticator level. Maybe we need a
status object for isValid, I don't know.
Bill