Firstyear

That's the easy part here @Gorian - the hard part is AD doesn't expose userPassword hashs like LDAP does in winsync. Because of that, it means that we then need...

Not doing at this time, but happy to accept patches on. I think it'll have to start with adding async to the auth session handlers though, and that may not...

The barrier here is web browsers probably can't consume it. I think there were some possible attempts though ....

cc @phoenixbackups

Probably SRV to start with. But I don't know if https://datatracker.ietf.org/doc/rfc9460/ is widely supported for browsers/dns servers yet, and I think the DNS rfc prohibits https from being a SRV....

This has certainly been on my radar for some time, I just hadn't made it a priority yet. I'm currently focused on refresh tokens and then some idm sync stuff,...

https://www.rfc-editor.org/rfc/rfc8628

@yaleman Can you explain more about the ssh/cli use case for me? I'm curious about it.

So it prompts for unix password I guess then does the device flow for the second/extra factors? I think given how device auth works, we'll have to "preauth" the flow...

So I'm guessing the value here is for non-kanidm ssh clients/auth? Because in Kanidm we'll be able to do passwordless flows with attested ssh keys in the future so it's...