On 5 October 2015 at 15:10, Bill Burke <bburke@redhat.com> wrote:

On 10/5/2015 3:39 AM, Stian Thorgersen wrote:

I don't think the account chooser is a good option. As you say users
that login with Kerberos (and have enabled Kerberos for the Keycloak
domain) will in 99% cases want to login with Kerberos.

Is logging out of Kerberos a big deal? I have no idea. Never in my career have I had to log in via kerberos.

No, but I thought that was what you where arguing against?

End of the day I don't really like any of these options, and so far
Michael is the only person asking for something like this. With that in
mind I think it's better that Michael would develop something custom on
top of the authenticator spi, rather than us adding this to Keycloak.

I agree, but an account chooser would be a nice feature to add the way I described it. We got a lot of other stuff to do though that has higher priority.

Maybe I don't understand the account chooser, but it's seems like it's just a way to select if you want to use Kerberos or regular login? What we need is the ability to log in additional accounts and be able to switch between them. That also requires applications to be able to retrieve tokens for the different logged in accounts.

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com