On 20/11/15 18:46, Dane Barentine wrote:
> I can look at the IdentityProvider Mapper and see. As you said it's a workaround
though and now requires me to create a mapper and an authenticator to handle both types of
authentication.
>
> Regarding this: "Isn't it the more proper option for your usecase to use OTP
on the second server side instead?"
>
> In a lot of cases it would probably be more proper. But it's not always practical
as we don't always control the IDPs. So the use case for OTP is if we are using an IDP
that either doesn't support, or the team that is running it doesn't want to
support, something like OTP but we still want to require it when logging in through
Keycloak. The other use case is when we are making authentication/authorization decisions
based on some other sort risk assessment or user required action. This may involve using
services or code that we will never be able to plug into an IDP. In those cases a post
broker login flow would allow us to add on a consistent layer across all the brokered IDPs
regardless of what they can technically support.
You can use requiredAction SPI after broker authentication. That is
triggered after each authentication (classic or broker) . See some docs
here :
http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.ht...
.
Maybe using RequiredAction SPI for OTP authentication is even better
than IdentityProviderMapper (even if it's still seems to be a
workaround). In your RequiredActionProvider.evaluateTriggers(), you will
check that user was authenticated through broker and if yes, you put
some requiredAction like "authenticate_otp" to clientSession. Then in
requiredActionChallenge() you will redirect to OTP form and in
processAction() you will check if OTP was successful. The code in
requiredActionChallenge and processAction methods might be very similar
to the code in OTPFormAuthenticator. You can likely inspire from here.
If you still have issues, feel free to create JIRA and we will try to
look at improve things in Keycloak.
It would be better to have a post-login flow.
--
Bill Burke
JBoss, a division of Red Hat