[keycloak-dev] Account Chooser Flo
Bill Burke
bburke at redhat.com
Fri Oct 2 11:23:00 EDT 2015
I would like to take the Account Chooser approach to the Kerberos bypass
situation. The Flow would be:
1. Cookie - ALTERNATIVE
2. Chooser Flow - ALTERNATIVE
a. Kerberos - OPTIONAL
b. Account Chooser - ALTERNATIVE
c. Forms ALTERNATIVE
i. Username/Password - REQUIRED
ii. OTP - OPTIONAL
* An "accounts used" cookie needs to be optionally set depending on
"remember me" switch. This should be a persistent cookie.
* Account Chooser page is always shown unless the "account used" cookie
is empty and no ClientSessionModel.getAuthenticatedUser is set.
* If selected user == current ClientSessionModel.getAuthenticatedUser
then return SUCCESSFUL
* If selected user != NULL set ClientSessionModel.getAuthenticatedUser,
return ATTEMPTED
* If selected user == NULL clear
ClientSessionModel.getAuthenticatedUser, return ATTEMPTED
* Username/Password Form Authenticator does not display username,
registration, and broker links if getAuthenticatedUser is already set
* An improvement can be made to also perform OTP input on
Username/Password page if a UserModel is already chosen.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list