----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Wednesday, February 11, 2015 5:29:54 PM
Subject: [keycloak-dev] Kerberos progress
I've already pushed initial version of Kerberos broker. It uses existing
brokering mechanism from Pedro and allows to login users to KC with
SPNEGO/Kerberos token. There are still things I need to address (more
testing + automated testing, Credentials delegation etc).
I have a question about automatic Kerberos login without displaying
login form. Browsers support this very well - when server returns
response with status 401, header "WWW-Authenticate: Negotiate" and HTML
with login page, browsers are able to handle it and:
* In case that user has Kerberos ticket, browser will send it back in
additional HTTP request with "Authorization: Negotiate <ticket>" . In
this case login form is not displayed to user
* In case that user hasn't Kerberos ticket, browser just displays HTML
with login form
You can try
https://saml.redhat.com/idp/ to see what I mean.
JBoss Negotiation supports this, so I believe we should address it too.
I have some ideas how to do it:
1) Configure default broker on server side per-realm. If used, login
request will automatically redirect to configured broker. It may be also
possible to override default broker per client?
2) Add on/off switch to broker configuration to specify if it should be
default or not
3) Leverage existing "k_idp_hint" parameter. I am thinking about adding
option "idp_hint" into AdapterConfig . In case it's configured, adapter
will use it for attach "k_idp_hint" parameter to login request. This
will allow per-application configuration and no changes on auth-server
side, but all applications will need to use it in their adapter
configuration.
IMO, all above are valid. #1 and #2 may be useful even if not using Kerberos. And yes, IMO
this should be per-client as well. I've added a new tab in Application and OAuth
Client to enable/disable providers on a client. Maybe you can put this config there.
I think #3 is also valid if apps want to bypass login form for their users and go straight
to an identity provider.
FYI, currently implementation redirects the user automatically to an identity provider if
there is a single one and no credentials are configured for a realm.
4) Don't configure anything, but hard-code that Kerberos will be always
used by default if configured. Basically add new method "boolean
isDefault()" to IDentityProvider interface. It will return "true" for
Kerberos impl and "false" for other broker types we currently have.
I like (1) or (2) most. Thoughts?
Marek
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev