[keycloak-dev] new credential SPI
Bill Burke
bburke at redhat.com
Tue Aug 23 10:39:37 EDT 2016
On 8/23/16 10:12 AM, Marek Posolda wrote:
> Regarding SPNEGO, I remember we discussed it on ML few years ago and
> agreed on doing it at UserFederation level. However that was before we
> had Authentication SPI :-)
>
> So yes, maybe we can refactor now?
>
> What we can do is:
> - Add keytab, kerberos principal and "debug" as properties of
> SPNEGOAuthenticator.
> - If user is successfuly authenticated by SPNEGOAuthenticator, he will
> be lookup by UserFederationStorage. If found, then authentication
> finished with success (so the case when user is in LDAP is still
> supported). If he is not found, then he is lazily created (typically
> the usecase for SPNEGO/Kerberos not backed by LDAP)
>
> This shouldn't be too hard to do though.
>
> Regarding multiple handshakes, this is still valid requirement IMO?
> There are authentication mechanisms like SASL, which count with
> multiple handshakes. The Keycloak is currently around passwords and
> OTP, but people may want to add their own credential types or in the
> future we can add more mechanisms, which can require multiple handshakes?
>
Really depends what's involved with the handshake. Protocol stuff
should not be in the storage SPI. We already do multiple handshakes
with kerberos in the kerberos authenticator. SASL is a protocol and
thus should be handled at the Authenticator level. Maybe we need a
status object for isValid, I don't know.
Bill
More information about the keycloak-dev
mailing list