----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Pedro Igor Silva" <psilva(a)redhat.com>
Cc: "Marek Posolda" <mposolda(a)redhat.com>, keycloak-dev(a)lists.jboss.org
Sent: Thursday, February 12, 2015 12:01:20 PM
Subject: Re: [keycloak-dev] Kerberos progress
On 2/12/2015 8:53 AM, Pedro Igor Silva wrote:
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: "Marek Posolda" <mposolda(a)redhat.com>,
keycloak-dev(a)lists.jboss.org
>> Sent: Thursday, February 12, 2015 11:49:05 AM
>> Subject: Re: [keycloak-dev] Kerberos progress
>>
>> I'm just trying to figure out where does the Broker SPI end and the User
>> Federation SPI begin? And wondering if our SPIs can be unified,
>> simplified, or refactored. For example, how would client-cert auth be
>> implemented? Like Kerberos, its a credential that is checked prior to
>> displaying a login screen.
>>
>> Another thing, does the broker SPI allow you to still require extra
>> credentials supplied by Keycloak instead of the brokered IDP?
>
> What is the use case ?
>
You have an IDP that only handles username/password and you want to add
client-cert/otp for additional protection. For example a login to
facebook.
Today, the broker is handling only UPDATE_PROFILE required action. This is an on/off
button on the provider's page to force update profile despite if it is defined by a
realm or not.
For credentials and other types of required actions, I think if you set that for a realm
the user will be presented with the respective page. I did not test that, but I'll
and also write some tests. The broker always invoke your code in
org.keycloak.services.managers.AuthenticationManager#nextActionAfterAuthentication after a
successful authentication.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com