Re: [keycloak-dev] PAM conversations- Custom login form

Good morning, Today to authentication against PAM with just simple username/password I implemented UserFederationProvider and added the proper PAM login to validCredentials[1]. This covers the most basic scenario. Now I would like to cover a more complex scenario like OTP and change the flow a little bit like this: 1. User providers her username 2. The next screen asks to provide how many factor our user has(For example: OTP, password). We just don't know, PAM will tell what's next. 3. We authenticate against it To see in practice against FreeIPA server, I just recorded it for a practical example[2]. What would be the best approach to implement this flow? I was considering to move my authentication logic out of SSSD federation provider and create a PAM authenticator. Does it make sense? [1] - http://www.keycloak.org/docs/javadocs/org/keycloak/models/ UserFederationProvider.html#validCredentials-org.keycloak. models.RealmModel-org.keycloak.models.UserCredentialModel- [2] - https://asciinema.org/a/atwnfbu0kqfasjl65weyoiz7a -- abstractj PGP: 0x84DC9914 _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev