Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-310

Authentication SPI



    • Feature Request
    • Status: Closed
    • Major
    • Resolution: Done
    • None
    • 1.4.0.Final
    • None


      Currently we're hard-wired to supporting only Google Authenticator. This needs to be replaced with an SPI that makes it easy to add additional mechanism for multi-factor authentication.

      Same applies to main authentication mechanism.

      For beta1 we should at least support Google Authenticator as well as one more means of multi-factor.

      Multi-factor approaches we could support include: FreeOTP, YubiKey, email, SMS, printed otp lists

      When a user configures multi-factor the user should be able to choose from a menu of the available multi-factor and pick the one the users wants.

      A user should also be able to have multiple multi-factor mechanisms available. In this case the user can add/remove additional mechanisms through the acct mngmt. The user should be able to select one to use as default. One the login page the default mechanism should be shown by default, and the user only has to enter the code for that default and click submit. There should also be a drop-down (if the user has more than 1 configured) that lets the user select a different mechanism.

      For example a user may use Google Authenticator, but also have a printed list of OTP for backup.


        Issue Links



              patriot1burke@gmail.com Bill Burke (Inactive)
              sthorger@redhat.com Stian Thorgersen
              4 Vote for this issue
              4 Start watching this issue