[keycloak-dev] PAM conversations- Custom login form

Stian Thorgersen sthorger at redhat.com
Tue Aug 23 07:26:26 EDT 2016


I thought we where just going to do password and OTP in a single field?

On 18 July 2016 at 23:53, Bruno Oliveira <abstractj at redhat.com> wrote:

> Good morning,
>
>
> Today to authentication against PAM with just simple username/password I
> implemented UserFederationProvider and added the proper PAM login to
> validCredentials[1]. This covers the most basic scenario.
>
> Now I would like to cover a more complex scenario like OTP and change
> the flow a little bit like this:
>
> 1. User providers her username
> 2. The next screen asks to provide how many factor our user has(For
> example: OTP, password). We just don't know, PAM will tell what's next.
> 3. We authenticate against it
>
> To see in practice against FreeIPA server, I just recorded it
> for a practical example[2].
>
> What would be the best approach to implement this flow? I was considering
> to
> move my authentication logic out of SSSD federation provider and create a
> PAM
> authenticator.
>
> Does it make sense?
>
> [1] - http://www.keycloak.org/docs/javadocs/org/keycloak/models/
> UserFederationProvider.html#validCredentials-org.keycloak.
> models.RealmModel-org.keycloak.models.UserCredentialModel-
>
> [2] - https://asciinema.org/a/atwnfbu0kqfasjl65weyoiz7a
>
> --
>
> abstractj
> PGP: 0x84DC9914
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160823/dd6e6a96/attachment.html 


More information about the keycloak-dev mailing list