[keycloak-dev] new credential SPI

[Marek Posolda]

On 23/08/16 16:39, Bill Burke wrote:
>
>
> On 8/23/16 10:12 AM, Marek Posolda wrote:
>> Regarding SPNEGO, I remember we discussed it on ML few years ago and 
>> agreed on doing it at UserFederation level. However that was before 
>> we had Authentication SPI :-)
>>
>> So yes, maybe we can refactor now?
>>
>> What we can do is:
>> - Add keytab, kerberos principal and "debug" as properties of 
>> SPNEGOAuthenticator.
>> - If user is successfuly authenticated by SPNEGOAuthenticator, he 
>> will be lookup by UserFederationStorage. If found, then 
>> authentication finished with success (so the case when user is in 
>> LDAP is still supported). If he is not found, then he is lazily 
>> created (typically the usecase for SPNEGO/Kerberos not backed by LDAP)
>>
>> This shouldn't be too hard to do though.
>>
>> Regarding multiple handshakes, this is still valid requirement IMO? 
>> There are authentication mechanisms like SASL, which count with 
>> multiple handshakes. The Keycloak is currently around passwords and 
>> OTP, but people may want to add their own credential types or in the 
>> future we can add more mechanisms, which can require multiple 
>> handshakes?
>>
> Really depends what's involved with the handshake.  Protocol stuff 
> should not be in the storage SPI.  We already do multiple handshakes 
> with kerberos in the kerberos authenticator.  SASL is a protocol and 
> thus should be handled at the Authenticator level. Maybe we need a 
> status object for isValid, I don't know.
I don't know too... Not sure where exactly is the border between 
protocol and credential storage and ATM I don't have any more concrete 
usecase using multisteps credential handshakes (assuming we refactor 
SPNEGO, I've created JIRA for that 
https://issues.jboss.org/browse/KEYCLOAK-3466 )

Maybe it's fine to use "boolean" and then later replace if there is 
request for multisteps credential handshakes? Also depends if we are 
allowed to do later changes in SPI or not...

Marek
>
> Bill