[keycloak-dev] Device registration and verification

Pedro Igor Silva psilva at redhat.com
Tue Jan 13 10:41:08 EST 2015


----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Pedro Igor Silva" <psilva at redhat.com>
> Cc: "Stian Thorgersen" <stian at redhat.com>, keycloak-dev at lists.jboss.org
> Sent: Tuesday, January 13, 2015 1:26:42 PM
> Subject: Re: [keycloak-dev] Device registration and verification
> 
> 
> 
> On 1/13/2015 10:10 AM, Pedro Igor Silva wrote:
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>, "Pedro Igor Silva"
> >> <psilva at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Tuesday, January 13, 2015 12:35:18 PM
> >> Subject: Re: [keycloak-dev] Device registration and verification
> >>
> >>
> >>
> >> On 1/12/2015 1:10 PM, Stian Thorgersen wrote:
> >>>> In a sense that is much more than just seamless authenticate (and
> >>>> authorize
> >>>> that computer) the user.
> >>>
> >>> I'm curious to see what you're proposing in a real system, but to me it
> >>> sounds like it's similar enough that a remember me and multi factor auth
> >>> mechanism would have the same level of security without complicating
> >>> things for the user.
> >>>
> >>
> >> I don't think we need any special device registration and verification
> >> for users.  Any type of client registration should be done by app devs,
> >> not users.
> >>
> >> For browsers, "remember me" and a persistent cookie is good enough.  For
> >> mobile and native apps, a refresh token can be stored.  We should
> >> probably have per-client overrides for things like access and refresh
> >> token timeouts.  We'll eventually add Client IP features so that a user
> >> doesn't have to use 2-factor auth if they are logging in from the same
> >> device from the same IP.
> >
> > My proposal is all based on browsers, people using their desktops. So you
> > can have an alias for a computer and use a cookie + IP (or even track
> > information from the user-agent) to support the features I suggested
> > before. If IP changed or user is using a unrecognized user-agent you
> > notify the user. Sometimes this sucks, because your IP may change often
> > depending on your network, but I think it is a nice feature to have.
> >
> 
> As long as there is no extra steps for the user, it is a fine idea. Same
> goes for any special SPI.  No new special SPIs for this type of thing.
> 
> For a long time I've wanted the ability to warn the user if there was a
> login from rogue hacker nation.  Countries and even states, counties and
> cities are assigned specific IP address masks.  I'm pretty sure ISPs are
> assigned specific ones too.  There's a free country IP database you can
> download with the option to pay for more fine-grain information.
> 
> BTW, I already had this on my task list for a long time and really
> wanted to do this work.

Sure :)

> 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> 


More information about the keycloak-dev mailing list