11:53 p.m.
Good morning,
Today to authentication against PAM with just simple username/password I
implemented UserFederationProvider and added the proper PAM login to
validCredentials[1]. This covers the most basic scenario.
Now I would like to cover a more complex scenario like OTP and change
the flow a little bit like this:
1. User providers her username
2. The next screen asks to provide how many factor our user has(For
example: OTP, password). We just don't know, PAM will tell what's next.
3. We authenticate against it
To see in practice against FreeIPA server, I just recorded it
for a practical example[2].
What would be the best approach to implement this flow? I was considering to
move my authentication logic out of SSSD federation provider and create a PAM
authenticator.
Does it make sense?
[1] -
http://www.keycloak.org/docs/javadocs/org/keycloak/models/UserFederationP...
[2] - https://asciinema.org/a/atwnfbu0kqfasjl65weyoiz7a
--
abstractj
PGP: 0x84DC9914
1:26 p.m.
I thought we where just going to do password and OTP in a single field?
On 18 July 2016 at 23:53, Bruno Oliveira <abstractj(a)redhat.com> wrote:
Good morning,
Today to authentication against PAM with just simple username/password I
implemented UserFederationProvider and added the proper PAM login to
validCredentials[1]. This covers the most basic scenario.
Now I would like to cover a more complex scenario like OTP and change
the flow a little bit like this:
1. User providers her username
2. The next screen asks to provide how many factor our user has(For
example: OTP, password). We just don't know, PAM will tell what's next.
3. We authenticate against it
To see in practice against FreeIPA server, I just recorded it
for a practical example[2].
What would be the best approach to implement this flow? I was considering
to
move my authentication logic out of SSSD federation provider and create a
PAM
authenticator.
Does it make sense?
[1] - http://www.keycloak.org/docs/javadocs/org/keycloak/models/
UserFederationProvider.html#validCredentials-org.keycloak.
models.RealmModel-org.keycloak.models.UserCredentialModel-
[2] - https://asciinema.org/a/atwnfbu0kqfasjl65weyoiz7a
--
abstractj
PGP: 0x84DC9914
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
1:29 p.m.
That e-mail is dated, feel free to ignore. Later I sent another one
mentioning password + OTP. But of course I can't find it anymore.
On 2016-08-23, Stian Thorgersen wrote:
I thought we where just going to do password and OTP in a single
field?
On 18 July 2016 at 23:53, Bruno Oliveira <abstractj(a)redhat.com> wrote:
> Good morning,
>
>
> Today to authentication against PAM with just simple username/password I
> implemented UserFederationProvider and added the proper PAM login to
> validCredentials[1]. This covers the most basic scenario.
>
> Now I would like to cover a more complex scenario like OTP and change
> the flow a little bit like this:
>
> 1. User providers her username
> 2. The next screen asks to provide how many factor our user has(For
> example: OTP, password). We just don't know, PAM will tell what's next.
> 3. We authenticate against it
>
> To see in practice against FreeIPA server, I just recorded it
> for a practical example[2].
>
> What would be the best approach to implement this flow? I was considering
> to
> move my authentication logic out of SSSD federation provider and create a
> PAM
> authenticator.
>
> Does it make sense?
>
> [1] - http://www.keycloak.org/docs/javadocs/org/keycloak/models/
> UserFederationProvider.html#validCredentials-org.keycloak.
> models.RealmModel-org.keycloak.models.UserCredentialModel-
>
> [2] - https://asciinema.org/a/atwnfbu0kqfasjl65weyoiz7a
>
> --
>
> abstractj
> PGP: 0x84DC9914
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
abstractj
PGP: 0x84DC9914
2796
days inactive
2832
days old
2 comments
3 participants
participants (3)
-
Bruno Oliveira -
Bruno Oliveira -
Stian Thorgersen