Sorry to jump in but Bill just mentioned a real use case within organizations that utilize
a risk engine.
If I typically login from say USA and one day I login from different country, the risk
engine will kick in and based on a policy defined, it may require me to do additional
authentication (otp).
Similarly there could be a set of black listed IP addresses which may necessitate no
access at all or in some cases require multiple authentication steps. Bottom line is a
risk engine will determine the authentication steps based on a number of factors including
a policy defined for each client app on what is acceptable under what conditions.
Sent from my iPhone
On May 11, 2015, at 10:09 AM, Bill Burke <bburke(a)redhat.com>
wrote:
> On 5/11/2015 9:44 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Monday, 11 May, 2015 3:29:13 PM
>> Subject: [keycloak-dev] auth spi design requirements and initial steps
>>
>> Some generic requirements that will effect the design.
>>
>> 1. Authenticator should be able to be optional per user. i.e. OTP can be
>> optionally set up by the user
>> 2. Multiple authenticators should be resolvable per form. i.e. password,
>> terms and conditions, captcha, and otp could be entered in on one page.
>> 3. Non form based authenticators should be able to bypass any screens if
>> they are the only authenticators. i.e. CLIENT_CERT and KERBEROS.
>> 4. Autheticators need to be able to send challenges after initial
>> request, i.e. Kerberos
>> 5. Clients should be able to specify which Authenticators they require
>> 6. You should be able to attach policies to an Authenticator which
>> allows you to do things like, don't do OTP if you are coming from IP
>> address where you last logged in.
>
> Bypassing OTP shouldn't be based on IP. Instead when you do OTP there should be
an option to not ask for OTP next time, which sets a cookie. Reasoning behind this is:
>
> 1. It's how Google does it ;)
> 2. IP address for most users are dynamic, and also often shared
> 3. User should choose not to use OTP next time. This is important as user could be
login from a public machine, a friends machine, etc.
IP Address can be used to find the user's location. I noticed that
World of Warcraft does this. i.e. I didn't have to enter OTP at home,
but I did when I traveled (same laptop used).
I forgot another one:
- Authenticators should be able to add headers to responses i.e. to set
a cookie
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev