On 11.2.2015 21:45, Pedro Igor Silva wrote:
----- Original Message -----
> From: "Marek Posolda" <mposolda(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Wednesday, February 11, 2015 5:29:54 PM
> Subject: [keycloak-dev] Kerberos progress
>
> I've already pushed initial version of Kerberos broker. It uses existing
> brokering mechanism from Pedro and allows to login users to KC with
> SPNEGO/Kerberos token. There are still things I need to address (more
> testing + automated testing, Credentials delegation etc).
>
> I have a question about automatic Kerberos login without displaying
> login form. Browsers support this very well - when server returns
> response with status 401, header "WWW-Authenticate: Negotiate" and HTML
> with login page, browsers are able to handle it and:
>
> * In case that user has Kerberos ticket, browser will send it back in
> additional HTTP request with "Authorization: Negotiate <ticket>" .
In
> this case login form is not displayed to user
>
> * In case that user hasn't Kerberos ticket, browser just displays HTML
> with login form
>
> You can try
https://saml.redhat.com/idp/ to see what I mean.
>
> JBoss Negotiation supports this, so I believe we should address it too.
>
>
> I have some ideas how to do it:
>
> 1) Configure default broker on server side per-realm. If used, login
> request will automatically redirect to configured broker. It may be also
> possible to override default broker per client?
>
> 2) Add on/off switch to broker configuration to specify if it should be
> default or not
>
> 3) Leverage existing "k_idp_hint" parameter. I am thinking about adding
> option "idp_hint" into AdapterConfig . In case it's configured,
adapter
> will use it for attach "k_idp_hint" parameter to login request. This
> will allow per-application configuration and no changes on auth-server
> side, but all applications will need to use it in their adapter
> configuration.
IMO, all above are valid. #1 and #2 may be useful even if not using Kerberos. And yes,
IMO this should be per-client as well. I've added a new tab in Application and OAuth
Client to enable/disable providers on a client. Maybe you can put this config there.
Ok, I can put the on/off switch for the brokering configuration (option
#2). For Kerberos, it will be "on" by default, for other broker types
"off" by default. This would be for specifying default brokering
mechanism for the realm. Then I can take a look for allowing to override
it per client in your new tab. Sounds good?
Marek
I think #3 is also valid if apps want to bypass login form for their users and go
straight to an identity provider.
FYI, currently implementation redirects the user automatically to an identity provider if
there is a single one and no credentials are configured for a realm.
> 4) Don't configure anything, but hard-code that Kerberos will be always
> used by default if configured. Basically add new method "boolean
> isDefault()" to IDentityProvider interface. It will return "true" for
> Kerberos impl and "false" for other broker types we currently have.
>
> I like (1) or (2) most. Thoughts?
>
> Marek
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>