[keycloak-dev] Authentication SPI
Bill Burke
bburke at redhat.com
Mon Oct 13 10:37:34 EDT 2014
We should discuss whether we need to reshuffle our prioritization.
Also, personally, I don't want to be stuck with all the integration work
we have to do with Tomcat, Jetty, BRMS, etc. :)
On 10/13/2014 3:23 AM, Stian Thorgersen wrote:
> We should consider adding an Authentication SPI. This would be something similar to what we used to have, but should be more flexible (for example allow redirect to other IdPs).
>
> This could be used for:
>
> * Kerberos bridge
> * Authenticate with external IdP (SAML or OpenID Connect)
> * Add custom authentication providers
> * Additional authentication mechanisms (fingerprint, hardware keys, etc.)
>
> Same SPI could also be used for custom multi-factor authenticators. As well as for authenticating non-human users (cert, jwt, etc.).
>
> A realm should be able to have more than one authentication mechanism. For example by default users authenticate with username/password (through the user store), but all users with a specific email domain authenticate with an external IdP. At the same time a user could have one or more main authenticators (password, hardware devices, etc.) and one or more secondary authenticators (totp, hardware token, etc.).
>
> Certainly needs a lot more thinking/design, but if it's something we're interested in I'd like to look at it.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list