[keycloak-dev] PAM conversations- Custom login form
Bruno Oliveira
abstractj at redhat.com
Mon Jul 18 17:53:44 EDT 2016
Good morning,
Today to authentication against PAM with just simple username/password I
implemented UserFederationProvider and added the proper PAM login to
validCredentials[1]. This covers the most basic scenario.
Now I would like to cover a more complex scenario like OTP and change
the flow a little bit like this:
1. User providers her username
2. The next screen asks to provide how many factor our user has(For
example: OTP, password). We just don't know, PAM will tell what's next.
3. We authenticate against it
To see in practice against FreeIPA server, I just recorded it
for a practical example[2].
What would be the best approach to implement this flow? I was considering to
move my authentication logic out of SSSD federation provider and create a PAM
authenticator.
Does it make sense?
[1] - http://www.keycloak.org/docs/javadocs/org/keycloak/models/UserFederationProvider.html#validCredentials-org.keycloak.models.RealmModel-org.keycloak.models.UserCredentialModel-
[2] - https://asciinema.org/a/atwnfbu0kqfasjl65weyoiz7a
--
abstractj
PGP: 0x84DC9914
More information about the keycloak-dev
mailing list