[keycloak-dev] Authentication SPI

Stian Thorgersen stian at redhat.com
Mon Oct 13 03:23:34 EDT 2014


We should consider adding an Authentication SPI. This would be something similar to what we used to have, but should be more flexible (for example allow redirect to other IdPs).

This could be used for:

* Kerberos bridge
* Authenticate with external IdP (SAML or OpenID Connect)
* Add custom authentication providers
* Additional authentication mechanisms (fingerprint, hardware keys, etc.)

Same SPI could also be used for custom multi-factor authenticators. As well as for authenticating non-human users (cert, jwt, etc.).

A realm should be able to have more than one authentication mechanism. For example by default users authenticate with username/password (through the user store), but all users with a specific email domain authenticate with an external IdP. At the same time a user could have one or more main authenticators (password, hardware devices, etc.) and one or more secondary authenticators (totp, hardware token, etc.).

Certainly needs a lot more thinking/design, but if it's something we're interested in I'd like to look at it.


More information about the keycloak-dev mailing list