Really nice !
On Tue, Jul 11, 2017 at 9:29 AM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
I gave it a go and implemented an "async" authentication
example. It's
rather simple what happens is:
* User authenticates with username only
* Then a "waiting" page is displayed, which is waiting for some external
callback. This could be an app or whatever that verifies the user then
sends the callback. In the example a CURL command is printed on sysout for
the server which you can run to "simulate" the callback from the app.
* Once the callback is received the user is authenticated without filling
in password or any other credentials in the main browser
Maybe you can use a SET [1], which is basically a JWT, in order to
communicate authentication events between parties. For instance, send
additional data to the external callback about the authentication context
and receive back from the external callback information on how to proceed
with the authentication.
[1]
https://tools.ietf.org/html/draft-hunt-idevent-token-03
https://github.com/stianst/authenticator-example
Check it out here:
https://youtu.be/C09BpNIf4v8
It's a bit hacky in the way it's implemented:
* Using notes for "callback" is a bit strange maybe?
* Had to use custom realm resource for callback endpoint. Is this strange?
* Probably won't work for cross DC, but in 7.2 Hynek has stuff that does
that
* No way to push change to browser, so have to pull every 2 seconds. Maybe
we could add a simple authentication event feature that uses websockets and
a small auth js lib to do the job of notification?
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev