We should consider adding an Authentication SPI. This would be something similar to what
we used to have, but should be more flexible (for example allow redirect to other IdPs).
This could be used for:
* Kerberos bridge
* Authenticate with external IdP (SAML or OpenID Connect)
* Add custom authentication providers
* Additional authentication mechanisms (fingerprint, hardware keys, etc.)
Same SPI could also be used for custom multi-factor authenticators. As well as for
authenticating non-human users (cert, jwt, etc.).
A realm should be able to have more than one authentication mechanism. For example by
default users authenticate with username/password (through the user store), but all users
with a specific email domain authenticate with an external IdP. At the same time a user
could have one or more main authenticators (password, hardware devices, etc.) and one or
more secondary authenticators (totp, hardware token, etc.).
Certainly needs a lot more thinking/design, but if it's something we're interested
in I'd like to look at it.