Hi Ryan,
we handled this with a specific querystring (&login=manual), which is
checked by our custom authenticator and then stops the spnego login
execution, so keycloak falls back to the normal browserform. Use-Case
was simply "logout and login as another user", so we didn't want an
extra interrupt of the auto-login process for convenience of most users.
Instead, the user has to manually "log out" and then does not get
automatically re-loggeed in as himself (as per spnego ticket), but can
login as another user.
But(!) not important if you use your solution or something similar to
mine, keep in mind that your spnego/kerberosticket is active in the
whole(!) browser. So, when you have more than one tab with the same
application or another one of the same realm open, 1 with autologin, 1
with a manually logged in other user, keycloak throws a already
authenticated-exception ("you're logged in as another user...).
We had this error coming up quite often in the dev-environments, which
were all clients in one realm first. After a little talk here, I used
one realm per environment (say local, dev, qa, ...) as a workaround.
There's no simple fix from the keycloak side I think, because that's
just the way the ticketing at spnego/kerberos works as how I understand.
Best regards,
Dominik
Am 02.05.18 um 19:29 schrieb Ryan Slominski:
Hi Keycloak Users,
I'm looking for suggestions on ways to configure a Keycloak realm to allow
Kerberos SPNEGO, but at the same time also allow switching users. I've made some
suggestions to the existing enhancement JIRA here:
https://issues.jboss.org/browse/KEYCLOAK-1727
I'd like to consider a "continue as $username" button in the event SPNEGO
worked instead of automatically returning successful login. I'm looking at the
Authentication API and Browser Flow docs:
https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi
Perhaps we could create a "Check if SPNEGO Worked and Prompt to Confirm"
Authenticator and assign it an Execution Requirement of "Required", and
configure the Browser Login flow to include the new Authenticator after the Kerberos
Execution, but before the Forms subflow. The logic in the new Authentictor might look
like:
if(SPNEGO worked) {
// Show special form with button labeled "Continue as $username" beside a
regular username/password form. This way user can choose to switch users or just continue
as the OS user.
else {
// Continue with regular form subflow as usual.
}
Does the Authenticator API support this?
Thanks,
Ryan
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user