3:29 p.m.
Some generic requirements that will effect the design.
1. Authenticator should be able to be optional per user. i.e. OTP can be
optionally set up by the user
2. Multiple authenticators should be resolvable per form. i.e. password,
terms and conditions, captcha, and otp could be entered in on one page.
3. Non form based authenticators should be able to bypass any screens if
they are the only authenticators. i.e. CLIENT_CERT and KERBEROS.
4. Autheticators need to be able to send challenges after initial
request, i.e. Kerberos
5. Clients should be able to specify which Authenticators they require
6. You should be able to attach policies to an Authenticator which
allows you to do things like, don't do OTP if you are coming from IP
address where you last logged in.
7. Authenticators should be able to plugin in a JAX-RS service that can
handle requests for them.
8. Authenticators should be able to specify their display/input page
9. Authenticators can have a "user setup" pages. One for
login/registration, one for account service, and one for admin console.
Yuck!
Design implications:
* I think we need to have a AuthenticatorForm as well as an
Authenticator interface.
* Authenticators would be associated with a AuthenticatorForm. This
allows support for multiple Authenticators for one form post.
* AuthentictorForms would have an action URL that accepts form input.
This form input URL would be referenced by the form name
/auth/realms/{realm}/authenticate/forms/{form-name}
* AuthenticatorForms would have a name and input/display page. The
display page URI can be a relative uri pointing to a theme template, a
relative uri that points to an Authenticators JAX-RS service, or an
external URI.
* A User, per authenticator can be in a SETUP_REQUIRED state. This
allows the user to bypass the authenticator and go straight to
authenticator setup.
* CredentialModel will need generic attributes.
Steps?
I'm gonna get some abstraction working first with Kerberos, OTP, and
Password.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3:42 p.m.
Is this a reasonable time to consider how impersonation could fit into the auth SPI?
On May 11, 2015, at 9:29 AM, Bill Burke <bburke(a)redhat.com>
wrote:
Some generic requirements that will effect the design.
1. Authenticator should be able to be optional per user. i.e. OTP can be
optionally set up by the user
2. Multiple authenticators should be resolvable per form. i.e. password,
terms and conditions, captcha, and otp could be entered in on one page.
3. Non form based authenticators should be able to bypass any screens if
they are the only authenticators. i.e. CLIENT_CERT and KERBEROS.
4. Autheticators need to be able to send challenges after initial
request, i.e. Kerberos
5. Clients should be able to specify which Authenticators they require
6. You should be able to attach policies to an Authenticator which
allows you to do things like, don't do OTP if you are coming from IP
address where you last logged in.
7. Authenticators should be able to plugin in a JAX-RS service that can
handle requests for them.
8. Authenticators should be able to specify their display/input page
9. Authenticators can have a "user setup" pages. One for
login/registration, one for account service, and one for admin console.
Yuck!
Design implications:
* I think we need to have a AuthenticatorForm as well as an
Authenticator interface.
* Authenticators would be associated with a AuthenticatorForm. This
allows support for multiple Authenticators for one form post.
* AuthentictorForms would have an action URL that accepts form input.
This form input URL would be referenced by the form name
/auth/realms/{realm}/authenticate/forms/{form-name}
* AuthenticatorForms would have a name and input/display page. The
display page URI can be a relative uri pointing to a theme template, a
relative uri that points to an Authenticators JAX-RS service, or an
external URI.
* A User, per authenticator can be in a SETUP_REQUIRED state. This
allows the user to bypass the authenticator and go straight to
authenticator setup.
* CredentialModel will need generic attributes.
Steps?
I'm gonna get some abstraction working first with Kerberos, OTP, and
Password.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3:44 p.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Monday, 11 May, 2015 3:29:13 PM
Subject: [keycloak-dev] auth spi design requirements and initial steps
Some generic requirements that will effect the design.
1. Authenticator should be able to be optional per user. i.e. OTP can be
optionally set up by the user
2. Multiple authenticators should be resolvable per form. i.e. password,
terms and conditions, captcha, and otp could be entered in on one page.
3. Non form based authenticators should be able to bypass any screens if
they are the only authenticators. i.e. CLIENT_CERT and KERBEROS.
4. Autheticators need to be able to send challenges after initial
request, i.e. Kerberos
5. Clients should be able to specify which Authenticators they require
6. You should be able to attach policies to an Authenticator which
allows you to do things like, don't do OTP if you are coming from IP
address where you last logged in.
Bypassing OTP shouldn't be based on IP. Instead when you do OTP there should be an
option to not ask for OTP next time, which sets a cookie. Reasoning behind this is:
1. It's how Google does it ;)
2. IP address for most users are dynamic, and also often shared
3. User should choose not to use OTP next time. This is important as user could be login
from a public machine, a friends machine, etc.
7. Authenticators should be able to plugin in a JAX-RS service that
can
handle requests for them.
8. Authenticators should be able to specify their display/input page
9. Authenticators can have a "user setup" pages. One for
login/registration, one for account service, and one for admin console.
Yuck!
Other things:
* Password-less authentication mechanisms (finger scanners, etc.)
* Other multi-factor mechanisms (FIDO, SMS, email)
* Multiple multi-factor mechanisms for one account (for Red Hat I've got both Google
Authenticator and dongle, I use both day to day, but it's also nice to have a backup)
* "Detached" flows - for example verify email sends an email with a link, login
with email would send a login link, etc..
Design implications:
* I think we need to have a AuthenticatorForm as well as an
Authenticator interface.
* Authenticators would be associated with a AuthenticatorForm. This
allows support for multiple Authenticators for one form post.
* AuthentictorForms would have an action URL that accepts form input.
This form input URL would be referenced by the form name
/auth/realms/{realm}/authenticate/forms/{form-name}
* AuthenticatorForms would have a name and input/display page. The
display page URI can be a relative uri pointing to a theme template, a
relative uri that points to an Authenticators JAX-RS service, or an
external URI.
* A User, per authenticator can be in a SETUP_REQUIRED state. This
allows the user to bypass the authenticator and go straight to
authenticator setup.
* CredentialModel will need generic attributes.
Steps?
I'm gonna get some abstraction working first with Kerberos, OTP, and
Password.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
4:09 p.m.
On 5/11/2015 9:44 AM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Monday, 11 May, 2015 3:29:13 PM
> Subject: [keycloak-dev] auth spi design requirements and initial steps
>
> Some generic requirements that will effect the design.
>
> 1. Authenticator should be able to be optional per user. i.e. OTP can be
> optionally set up by the user
> 2. Multiple authenticators should be resolvable per form. i.e. password,
> terms and conditions, captcha, and otp could be entered in on one page.
> 3. Non form based authenticators should be able to bypass any screens if
> they are the only authenticators. i.e. CLIENT_CERT and KERBEROS.
> 4. Autheticators need to be able to send challenges after initial
> request, i.e. Kerberos
> 5. Clients should be able to specify which Authenticators they require
> 6. You should be able to attach policies to an Authenticator which
> allows you to do things like, don't do OTP if you are coming from IP
> address where you last logged in.
Bypassing OTP shouldn't be based on IP. Instead when you do OTP there should be an
option to not ask for OTP next time, which sets a cookie. Reasoning behind this is:
1. It's how Google does it ;)
2. IP address for most users are dynamic, and also often shared
3. User should choose not to use OTP next time. This is important as user could be login
from a public machine, a friends machine, etc.
IP Address can be used to find the user's location. I noticed that
World of Warcraft does this. i.e. I didn't have to enter OTP at home,
but I did when I traveled (same laptop used).
I forgot another one:
- Authenticators should be able to add headers to responses i.e. to set
a cookie
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
4:24 p.m.
Sorry to jump in but Bill just mentioned a real use case within organizations that utilize
a risk engine.
If I typically login from say USA and one day I login from different country, the risk
engine will kick in and based on a policy defined, it may require me to do additional
authentication (otp).
Similarly there could be a set of black listed IP addresses which may necessitate no
access at all or in some cases require multiple authentication steps. Bottom line is a
risk engine will determine the authentication steps based on a number of factors including
a policy defined for each client app on what is acceptable under what conditions.
Sent from my iPhone
On May 11, 2015, at 10:09 AM, Bill Burke <bburke(a)redhat.com>
wrote:
> On 5/11/2015 9:44 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Monday, 11 May, 2015 3:29:13 PM
>> Subject: [keycloak-dev] auth spi design requirements and initial steps
>>
>> Some generic requirements that will effect the design.
>>
>> 1. Authenticator should be able to be optional per user. i.e. OTP can be
>> optionally set up by the user
>> 2. Multiple authenticators should be resolvable per form. i.e. password,
>> terms and conditions, captcha, and otp could be entered in on one page.
>> 3. Non form based authenticators should be able to bypass any screens if
>> they are the only authenticators. i.e. CLIENT_CERT and KERBEROS.
>> 4. Autheticators need to be able to send challenges after initial
>> request, i.e. Kerberos
>> 5. Clients should be able to specify which Authenticators they require
>> 6. You should be able to attach policies to an Authenticator which
>> allows you to do things like, don't do OTP if you are coming from IP
>> address where you last logged in.
>
> Bypassing OTP shouldn't be based on IP. Instead when you do OTP there should be
an option to not ask for OTP next time, which sets a cookie. Reasoning behind this is:
>
> 1. It's how Google does it ;)
> 2. IP address for most users are dynamic, and also often shared
> 3. User should choose not to use OTP next time. This is important as user could be
login from a public machine, a friends machine, etc.
IP Address can be used to find the user's location. I noticed that
World of Warcraft does this. i.e. I didn't have to enter OTP at home,
but I did when I traveled (same laptop used).
I forgot another one:
- Authenticators should be able to add headers to responses i.e. to set
a cookie
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3272
days inactive
3272
days old
4 comments
4 participants
participants (4)
-
Bill Burke -
Raghu Prabhala -
Scott Rossillo -
Stian Thorgersen