[keycloak-user] Switch User enhancement - How best to modify Browser Flow
Dominik Guhr
pinguwien at gmail.com
Wed May 2 14:06:48 EDT 2018
Hi Ryan,
we handled this with a specific querystring (&login=manual), which is
checked by our custom authenticator and then stops the spnego login
execution, so keycloak falls back to the normal browserform. Use-Case
was simply "logout and login as another user", so we didn't want an
extra interrupt of the auto-login process for convenience of most users.
Instead, the user has to manually "log out" and then does not get
automatically re-loggeed in as himself (as per spnego ticket), but can
login as another user.
But(!) not important if you use your solution or something similar to
mine, keep in mind that your spnego/kerberosticket is active in the
whole(!) browser. So, when you have more than one tab with the same
application or another one of the same realm open, 1 with autologin, 1
with a manually logged in other user, keycloak throws a already
authenticated-exception ("you're logged in as another user...).
We had this error coming up quite often in the dev-environments, which
were all clients in one realm first. After a little talk here, I used
one realm per environment (say local, dev, qa, ...) as a workaround.
There's no simple fix from the keycloak side I think, because that's
just the way the ticketing at spnego/kerberos works as how I understand.
Best regards,
Dominik
Am 02.05.18 um 19:29 schrieb Ryan Slominski:
> Hi Keycloak Users,
> I'm looking for suggestions on ways to configure a Keycloak realm to allow Kerberos SPNEGO, but at the same time also allow switching users. I've made some suggestions to the existing enhancement JIRA here:
>
> https://issues.jboss.org/browse/KEYCLOAK-1727
>
> I'd like to consider a "continue as $username" button in the event SPNEGO worked instead of automatically returning successful login. I'm looking at the Authentication API and Browser Flow docs:
>
> https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi
>
> Perhaps we could create a "Check if SPNEGO Worked and Prompt to Confirm" Authenticator and assign it an Execution Requirement of "Required", and configure the Browser Login flow to include the new Authenticator after the Kerberos Execution, but before the Forms subflow. The logic in the new Authentictor might look like:
>
> if(SPNEGO worked) {
> // Show special form with button labeled "Continue as $username" beside a regular username/password form. This way user can choose to switch users or just continue as the OS user.
> else {
> // Continue with regular form subflow as usual.
> }
>
> Does the Authenticator API support this?
>
> Thanks,
>
> Ryan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list