Authentication flows and authenticators should be protocol agnostic. We
currently support both OIDC and SAML. In the future we may add more as well.
With that regards there needs to be a protocol agnostic concept of step-up
authentication. We have some design ideas around it, which involves having
conditions within the authentication flows that handles it rather than
having authenticators to it themselves.
Take a look at
https://issues.jboss.org/browse/KEYCLOAK-847 that links to a
Google Doc with some notes
On 1 August 2017 at 17:53, Jannik Hüls <jannik.huels(a)googlemail.com> wrote:
Hi,
I would like to contribute to the Keycloak project and implement acr and
amr support like described in KEYCLOAK-3314. (However, I don’t know whether
this is a good place to start - but at least this is a recent topic very
many customers are currently requesting ;-))
My idea would be to implement it in a way Youssef suggested in the
comments. Thus every Authenticator of a specific Flow may get a
"Authentication Method Reference Value”.
E.g. having two Authenticators ‘pwd’ and ‘top’:
The claim acr_values describes the desired level of an authentication
request, thus using acr_values=pwd for the initial response should only
trigger the pwd Authenticator and return acr=pwd and amr=[pwd].
A second authentication request using acr_values=otp should only trigger
the otp authenticator, but return acr=otp and amr=[pwd,otp].
Please let me know if you want to implement support of acr and amr - even
if my initial thoughts do not correspond to the ideas you have to implement
this. :-)
Kind regards
Jannik
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev