[keycloak-user] direct access grant + kerberos

[Fox, Kevin M]

I tried this. But the plugin does not seem to support it:
        <div id="kc-error-message">
            <p class="instruction">Kerberos is not set up.  You cannot login.</p>
        </div>

I've verified that the endpoint does work with username/password before switching and that kerberos still works with webistes.

Anyone know what it would take to update the plugin to support the direct flow?

Thanks,
Kevin
________________________________________
From: Dmitry Telegin [demetrio at carretti.pro]
Sent: Friday, May 24, 2019 9:01 AM
To: Fox, Kevin M; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] direct access grant + kerberos

Hello Kevin,

You could try cloning the default direct grant flow, adding Kerberos authenticator to it and removing everything else. This authenticator was initially developed for browser-based flows, so it might or might not work with direct grants. You'll need to figure that out - it could be that the authenticator might need to be adapted.

If you need to keep username+password authentication too, you should put the relevant authenticators into a subflow and make it alternative, the same way it is done in the default browser flow.

Good luck,
Dmitry Telegin

Carretti Consulting OÜ | Keycloak Consulting and Training
Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro

On Tue, 2019-05-21 at 17:48 +0000, Fox, Kevin M wrote:
> Is there a way to get back an id token by doing a direct access grant with kerberos negotiate instead of a password?
>
> Thanks,
> Kevin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user