I thing that some applications care about how was user authenticated :-\I don't like the query param approach as it requires somehow adding the query param to specify what authenticators to skip. This would have to be added to applications themselves and with Keycloak the whole idea is that applications shouldn't have to worry about authentication semantics.
For external IdPs, we already have "Authenticate by Default" switch on identity providers. We also have kc_idp_hint parameter as I mentioned above.We need a generic mechanism to be able to skip any authenticators that automatically log in a user. Currently this is only Kerberos, but in the future we could add more, including an option to automatically route to external IdPs.
+1 to support "Is this you" screen. However maybe this should be configurable as some deployments may not want to display the screen, but want to relogin automatically.
Ignoring implementation semantics for now, but taking Kerberos as the example authenticator I can see some options (in the example below replace 'Kerberos' with any other authentication method that can automatically login a user):
* If a user that was logged in using Kerberos logs out the user should not just be automatically logged-in again for the current browser session. Instead the user should be displayed with a regular username/password field, but also with an option to login with Kerberos* A variant on the above where if a user has logged-out from Kerberos the user would be displayed with a "Is this you?" when login, if the user selects yes the Kerberos authenticator would continue, if not the regular username/password form would be displayed
* Implement account switcher - where a user can login to multiple accounts at a time and select which account to use
Other ideas? Points for ideas that requires no hacks in applications ;)
On 30 September 2015 at 15:39, Michael Gerber <gerbermichi@me.com> wrote:
Hi all,
I would like to use kerberos as my standard authentication mechanism, but I also want to have the possibility to log in as an admin over the login form.Therefore, I want to skip the kerberos authenticator after a successful logout.
How would you solve this problem?
I've got two solutions, one sets a logout session cookie after a logout and then skips the kerberos authentication and another which allows users to skip any kind of alternative authenticators with a query parameter.
Logout Session Cookie
Query Param
Michael
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________ keycloak-dev mailing list keycloak-dev@lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev