在 keycloak 中跳过 kerberos sso 身份验证
[英]Skip kerberos sso authentication in keycloak
问题描述
In certain cases we need to skip automatic login through Kerberos.
在某些情况下,我们需要跳过通过 Kerberos 的自动登录。 According to the documentation this should be done through the parameter ?prompt=login :根据文档,这应该通过参数?prompt=login来完成:
prompt - Keycloak supports these settings:
- login - SSO will be ignored and the Keycloak login page will be always shown, even if the user is already authenticated
This works in most cases (we also use a NTLM waffle implementation) but with Kerberos the user is always signed in automatically.这在大多数情况下都有效(我们也使用 NTLM waffle 实现),但使用 Kerberos 时,用户始终自动登录。
Any hint or idea why?任何提示或想法为什么?
Are there alternative ways to force forwarding to the login page?是否有其他方法可以强制转发到登录页面?
EDIT: The reason I need to skip the Kerberos authentication is because I need to login with an admin-account where I have to enter username+password.编辑:我需要跳过 Kerberos 身份验证的原因是因为我需要使用管理员帐户登录,我必须在其中输入用户名+密码。
EDIT2: We are using Keycloak.x version 14.0.0. EDIT2:我们使用的是 Keycloak.x 版本 14.0.0。
2 个解决方案
解决方案1
0 2021-10-21 07:33:17
The parameter ?prompt=login will only skip the Cookie authenticator in your authentication flow.参数?prompt=login只会跳过身份验证流程中的 Cookie 身份验证器。 Execution of the Cookie authenticator will be marked as attempted but not as successful. Cookie 身份验证器的执行将被标记为已尝试但未成功。 So Keycloak will fallback to an alternative authenticator.因此,Keycloak 将回退到替代身份验证器。 I am assuming the Kerberos authenticator is configured as an alternative.我假设 Kerberos 身份验证器已配置为替代方案。 If this is the case, you will be (automatically) authenticated by the Kerberos authenticator.如果是这种情况,您将通过 Kerberos 身份验证器(自动)进行身份验证。
If you only need this behaviour for a particular client, you may want to create an additional authentication flow for that client without the Kerberos authenticator.如果您只需要特定客户端的此行为,您可能需要为该客户端创建额外的身份验证流程,而无需 Kerberos 身份验证器。 Use Authentication flow overrides to configure the new flow for the client.使用Authentication flow overrides为客户端配置新流。
解决方案2
0 2021-12-01 13:57:52
I just created a feature-request with a possible solution on the code side.我刚刚在代码方面创建了一个可能的解决方案的功能请求。
skip kerberos SSO authentication to use login-form跳过 kerberos SSO 身份验证以使用登录表单
Might be able to override the default SpnegoAuthenticator with a custom one containing the login parameter handling.可能能够使用包含login参数处理的自定义SpnegoAuthenticator覆盖默认SpnegoAuthenticator 。
I patched and tested it in a kerberos environment and it worked.我在 kerberos 环境中修补并测试了它,它工作正常。
@Override
public void authenticate(AuthenticationFlowContext context) {
// +++ BEGIN CHANGE +++
AuthenticationSessionModel session = context.getAuthenticationSession();
Map<String, String> clientNotes = session.getClientNotes();
if ("login".equals(clientNotes.get("prompt"))) {
logger.info("skip SPNEGO authenticator because of client requests login prompt: " + clientNotes); //$NON-NLS-1$
context.attempted();
return;
}
// +++ END CHANGE +++
HttpRequest request = context.getHttpRequest();
String authHeader = request.getHttpHeaders().getRequestHeaders().getFirst(HttpHeaders.AUTHORIZATION);
if (authHeader == null) {
Response challenge = challengeNegotiation(context, null);
context.forceChallenge(challenge);
return;
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.