On 11 July 2017 at 17:05, Bill Burke <bburke(a)redhat.com> wrote:
Awesome! Comments inline
On 7/11/17 8:29 AM, Stian Thorgersen wrote:
> I gave it a go and implemented an "async" authentication example.
It's
> rather simple what happens is:
>
> * User authenticates with username only
> * Then a "waiting" page is displayed, which is waiting for some external
> callback. This could be an app or whatever that verifies the user then
> sends the callback. In the example a CURL command is printed on sysout
for
> the server which you can run to "simulate" the callback from the app.
> * Once the callback is received the user is authenticated without filling
> in password or any other credentials in the main browser
>
>
https://github.com/stianst/authenticator-example
>
> Check it out here:
>
https://youtu.be/C09BpNIf4v8
>
> It's a bit hacky in the way it's implemented:
>
> * Using notes for "callback" is a bit strange maybe?
Why?
Dunno, was mainly checking if others thought it was OK.
> * Had to use custom realm resource for callback endpoint. Is this
strange?
> * Probably won't work for cross DC, but in 7.2 Hynek has stuff that does
> that
So, in 7.2 it will work for cross-DC?
The example would need changing for KC 3.2 / 7.2 to support cross-DC. It
would need changing for authentication sessions and the callback should use
the event mechanism that Hynek implemented to update the authentication
session in the correct DC/node. Maybe Marek/Hynek could take a look at that
to make sure it works cross DC?
> * No way to push change to browser, so have to pull every 2 seconds.
Maybe
> we could add a simple authentication event feature that uses websockets
and
> a small auth js lib to do the job of notification?
You'd have to have a cross-DC notification bus for something like this
as only one node in the cluster would have the websocket open. If you
had Javascript that did the polling, the user wouldn't even see it.
I have JS polling at the moment, but I don't like it as it needs a request
every X seconds. Much better to have a way to push when it actually
changes. I don't think it would be to hard to add.
Bill
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev