[keycloak-user] Authentication level realm
Marek Posolda
mposolda at redhat.com
Tue Sep 6 02:33:06 EDT 2016
We plan to add support for "acr" from OIDC specification. See
https://issues.jboss.org/browse/KEYCLOAK-3314 .
Until that, you can possibly use some workaround and add your own
authentication flow with authenticator implementations. For example
based on redirect_uri (which will be different for more "secure" part of
your application) you will allow (or not allow) cookie authentication
and for the more secure part, you will ensure that OTP authenticator is
used.
Marek
On 01/09/16 16:54, Steve Favez wrote:
> Dear all,
> I need to implement the following use case.
>
> My web application is authenticated against a given realm on keycloak,
> using a simple user / password authentication model. But a part of my
> web app would require a stronger authentication mechanism (a second
> factor in fact) based on the current user.
>
> What's the "best" solution using keycloak ? I was thinking of two
> different solutions
> 1. add an attibute in my OIDC token that could be named "level", and
> having an adapter that would check the level of the token, and if not
> corresponding, redirect to the realm that would ask for the second
> factor of authentication
> 2. Create a "2FA" realm,that would rely on the simple authentication
> realm... but is it possible in the same web app (I mean, to use two
> realms)
>
> Open to any ideas
>
> Thanks
>
> St
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160906/cecece6b/attachment.html
More information about the keycloak-user
mailing list