[keycloak-dev] Kerberos progress

[Pedro Igor Silva]

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Pedro Igor Silva" <psilva at redhat.com>
> Cc: "Marek Posolda" <mposolda at redhat.com>, keycloak-dev at lists.jboss.org
> Sent: Thursday, February 12, 2015 12:01:20 PM
> Subject: Re: [keycloak-dev] Kerberos progress
> 
> 
> 
> On 2/12/2015 8:53 AM, Pedro Igor Silva wrote:
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: "Marek Posolda" <mposolda at redhat.com>, keycloak-dev at lists.jboss.org
> >> Sent: Thursday, February 12, 2015 11:49:05 AM
> >> Subject: Re: [keycloak-dev] Kerberos progress
> >>
> >> I'm just trying to figure out where does the Broker SPI end and the User
> >> Federation SPI begin?  And wondering if our SPIs can be unified,
> >> simplified, or refactored.  For example, how would client-cert auth be
> >> implemented?  Like Kerberos, its a credential that is checked prior to
> >> displaying a login screen.
> >>
> >> Another thing, does the broker SPI allow you to still require extra
> >> credentials supplied by Keycloak instead of the brokered IDP?
> >
> > What is the use case ?
> >
> 
> You have an IDP that only handles username/password and you want to add
> client-cert/otp for additional protection.  For example a login to
> facebook.

Today, the broker is handling only UPDATE_PROFILE required action. This is an on/off button on the provider's page to force update profile despite if it is defined by a realm or not.

For credentials and other types of required actions, I think if you set that for a realm the user will be presented with the respective page.  I did not test that, but I'll and also write some tests. The broker always invoke your code in org.keycloak.services.managers.AuthenticationManager#nextActionAfterAuthentication after a successful authentication.

> 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>