[keycloak-user] Switch User enhancement - How best to modify Browser Flow

Wed May 2 14:06:48 EDT 2018

Hi Ryan,

we handled this with a specific querystring (&login=manual), which is 
checked by our custom authenticator and then stops the spnego login 
execution, so keycloak falls back to the normal browserform. Use-Case 
was simply "logout and login as another user", so we didn't want an 
extra interrupt of the auto-login process for convenience of most users. 
Instead, the user has to manually "log out" and then does not get 
automatically re-loggeed in as himself (as per spnego  ticket), but can 
login as another user.

But(!) not important if you use your solution or something similar to 
mine, keep in mind that your spnego/kerberosticket is active in the 
whole(!) browser. So, when you have more than one tab with the same 
application or another one of the same realm open, 1 with autologin, 1 
with a manually logged in other user, keycloak throws a already 
authenticated-exception ("you're logged in as another user...).

We had this error coming up quite often in the dev-environments, which 
were all clients in one realm first. After a little talk here, I used 
one realm per environment (say local, dev, qa, ...) as a workaround. 
There's no simple fix from the keycloak side I think, because that's 
just the way the ticketing at spnego/kerberos works as how I understand.

Best regards,
Dominik

Am 02.05.18 um 19:29 schrieb Ryan Slominski:
> Hi Keycloak Users,
>      I'm looking for suggestions on ways to configure a Keycloak realm to allow Kerberos SPNEGO, but at the same time also allow switching users.  I've made some suggestions to the existing enhancement JIRA here:
> 
> https://issues.jboss.org/browse/KEYCLOAK-1727
> 
> I'd like to consider a "continue as $username" button in the event SPNEGO worked instead of automatically returning successful login.  I'm looking at the Authentication API and Browser Flow docs:
> 
> https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi
> 
> Perhaps we could create a "Check if SPNEGO Worked and Prompt to Confirm" Authenticator and assign it an Execution Requirement of "Required", and configure the Browser Login flow to include the new Authenticator after the Kerberos Execution, but before the Forms subflow.  The logic in the new Authentictor might look like:
> 
> if(SPNEGO worked) {
>    // Show special form with button labeled "Continue as $username" beside a regular username/password form.  This way user can choose to switch users or just continue as the OS user.
> else {
>    // Continue with regular form subflow as usual.
> }
> 
> Does the Authenticator API support this?
> 
> Thanks,
> 
> Ryan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 