[keycloak-dev] Decoupled channel authentication (Google Push Authn)
Stian Thorgersen
sthorger at redhat.com
Wed Jun 27 15:36:43 EDT 2018
What I had in mind with websocket was something along the lines of web page
listens for an event filtered on the authentication session id and the
callback would trigger an event with the authentication session id. Would
be nice if the authenticator SPI would also allow adding callback endpoints
without having to create a realm resource for it.
On Wed, 27 Jun 2018 at 21:31, Stian Thorgersen <sthorger at redhat.com> wrote:
> I haven't tried, but you should be able to use authentication notes
> instead:
>
> ctx.getAuthenticationSession().get/setAuthNote
>
> On Wed, 27 Jun 2018 at 10:45, James Holland <james.holland at outlook.com>
> wrote:
>
>> Hi Stian, thanks for this :-)
>>
>> AuthenticationFlowContext & UserSessionProvider no longer have methods to
>> get the ClientSessionModel to lookup the user session, any suggestion on
>> how to get this in 4.0.0.Final? I was looking at
>> AuthenticationSessionProvider?
>>
>> I agree with you wrt to your points 1 & 2, websocket callback is
>> something I'm working on separately, but only as a method of telling the
>> waiting page to refresh instead of polling; just need a distributed Pub/sub
>> & filter (so only the specific sessions get called.)
>>
>> Regards James
>>
>>
>> Stian Thorgersen wrote on 27/06/2018 07:25:
>>
>> Hi,
>>
>> Take a look at https://github.com/stianst/authenticator-example. It's
>> just a POC, but it does pretty much what you're after with regards to an
>> out of bands authenticator.
>>
>> Now to make it nice there's two aspects that needs to be worked on:
>>
>> 1. Support for additional multi factor mechanisms - users should be able
>> to choose between available means, pluggable support including
>> configuration, etc.. I hope this is something we'll be working on soon.
>> 2. Push based out of bands - we need some concept of authentication
>> events that the authenticator web page can wait for. I would assume this
>> would use websockets.
>>
>> For Google prompt it would be nice to have that available OOTB, but it
>> does depend on #1 to allow us to properly support more than one multi
>> factor in a realm.
>>
>> On Mon, 25 Jun 2018 at 11:23, James Holland <james.holland at outlook.com>
>> wrote:
>>
>>> I've added the feature request
>>> https://issues.jboss.org/browse/KEYCLOAK-7675 for this.
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>>
More information about the keycloak-dev
mailing list