On 5/11/2015 9:44 AM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Monday, 11 May, 2015 3:29:13 PM
> Subject: [keycloak-dev] auth spi design requirements and initial steps
>
> Some generic requirements that will effect the design.
>
> 1. Authenticator should be able to be optional per user. i.e. OTP can be
> optionally set up by the user
> 2. Multiple authenticators should be resolvable per form. i.e. password,
> terms and conditions, captcha, and otp could be entered in on one page.
> 3. Non form based authenticators should be able to bypass any screens if
> they are the only authenticators. i.e. CLIENT_CERT and KERBEROS.
> 4. Autheticators need to be able to send challenges after initial
> request, i.e. Kerberos
> 5. Clients should be able to specify which Authenticators they require
> 6. You should be able to attach policies to an Authenticator which
> allows you to do things like, don't do OTP if you are coming from IP
> address where you last logged in.
Bypassing OTP shouldn't be based on IP. Instead when you do OTP there should be an
option to not ask for OTP next time, which sets a cookie. Reasoning behind this is:
1. It's how Google does it ;)
2. IP address for most users are dynamic, and also often shared
3. User should choose not to use OTP next time. This is important as user could be login
from a public machine, a friends machine, etc.
IP Address can be used to find the user's location. I noticed that
World of Warcraft does this. i.e. I didn't have to enter OTP at home,
but I did when I traveled (same laptop used).
I forgot another one:
- Authenticators should be able to add headers to responses i.e. to set
a cookie
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com