Re: [keycloak-dev] Authentication SPI

From: "Bill Burke" <bburke(a)redhat.com&gt; To: keycloak-dev(a)lists.jboss.org Sent: Monday, 13 October, 2014 4:37:34 PM Subject: Re: [keycloak-dev] Authentication SPI We should discuss whether we need to reshuffle our prioritization. Also, personally, I don't want to be stuck with all the integration work we have to do with Tomcat, Jetty, BRMS, etc. :)

On 10/13/2014 3:23 AM, Stian Thorgersen wrote: > We should consider adding an Authentication SPI. This would be something > similar to what we used to have, but should be more flexible (for example > allow redirect to other IdPs). > > This could be used for: > > * Kerberos bridge > * Authenticate with external IdP (SAML or OpenID Connect) > * Add custom authentication providers > * Additional authentication mechanisms (fingerprint, hardware keys, etc.) > > Same SPI could also be used for custom multi-factor authenticators. As well > as for authenticating non-human users (cert, jwt, etc.). > > A realm should be able to have more than one authentication mechanism. For > example by default users authenticate with username/password (through the > user store), but all users with a specific email domain authenticate with > an external IdP. At the same time a user could have one or more main > authenticators (password, hardware devices, etc.) and one or more > secondary authenticators (totp, hardware token, etc.). > > Certainly needs a lot more thinking/design, but if it's something we're > interested in I'd like to look at it. > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev