[keycloak-dev] [keycloak-user] How to implement long user sso sessions with reauthentication for important actions?

Vlastimil Elias velias at redhat.com
Fri Nov 27 05:05:34 EST 2015 

Hi,

moving this discussion to the devel forum as it is about the feture
development now.

Toplevel issue I created for this feature is
https://issues.jboss.org/browse/KEYCLOAK-2076

I added some notes and thoughts from my investigation as a comment to
the KEYCLOAK-2076, there are some open questions how to implement it.

Originally I though I should be able to implement reauth support and
provide PR.
But I must say I'm not sure now if I'm able to implement it, looks like
it is a bit more complicated than I originally expected, so probably
some Keycloak core developer should do it.
But if you think you will not have resources to do it in 1.8 then I can
try it (with your support), as I believe it is a very important feature,
and we really want use it.

Cheers

Vlastimil



On 12.11.2015 14:50, Stian Thorgersen wrote:
>
>
> On 12 November 2015 at 14:49, Vlastimil Elias <velias at redhat.com
> <mailto:velias at redhat.com>> wrote:
>
>     Thanks for quick reply Stian.
>
>     I'm going to create JIRAs for all these things. I can volunter to
>     implement some parts of this.
>
>     For the last one, it should be probably cool to have
>     "reauthenticate timeout" setting available in client section for
>     every client (not only internal admin console and account
>     management). It should allow simple implementation of "long user
>     sso session" scheme even in environments where some clients can't
>     be updated to set max_age on protocol level.
>
>
> Yep, that makes sense
>  
>
>
>     Vl.
>
>
>     On 12.11.2015 14:39, Stian Thorgersen wrote:
>>
>>
>>     On 12 November 2015 at 14:15, Vlastimil Elias <velias at redhat.com
>>     <mailto:velias at redhat.com>> wrote:
>>
>>         Hi,
>>
>>         I'd like to use long session authentication mechanism known
>>         from many
>>         sites like google. facebook, linked in etc.
>>         It is about really long user SSO sessions (eg. weeks or even
>>         months)
>>         with reauthentication for important actions when last
>>         authentication
>>         timestamp is older than some limit.
>>
>>         Is this somehow possible with current Keycloak server and
>>         Keycloak adapters?
>>
>>         I see few subquestions in this problem for our use:
>>
>>         *****
>>         open-id connect protocol defines few auth request parameters
>>         to support
>>         this use case, mainly max_age or prompt=login. Are they correctly
>>         implemented in Keycloak server?
>>
>>
>>     We don't have support for max_age and we only support prompt=none
>>     so these would have to be added
>>      
>>
>>
>>
>>         *****
>>         Wildfly/EAP adapter - is it possible and is there some
>>         example how to
>>         use "reauth if auth is older than 30min" action in Java app
>>         secured by
>>         this adapter? Or is info about last auth timestamp somehow
>>         available in
>>         the app?
>>
>>
>>     We don't set auth_time claim ATM so answer is no
>>      
>>
>>
>>
>>         *****
>>         Keycloak user account application itself - it is part of the
>>         Keycloak
>>         server, but it contains sensitive actions which typically require
>>         reathentication in this long session scheme (password change,
>>         email
>>         change, ...). Is it somehow possible to configure Keycloak to
>>         force
>>         timeout reauth for this app?
>>
>>
>>     Not at the moment - but if we add what you want it would also
>>     make sense to add that. Would need to be configurable through the
>>     admin console. Would also be nice to have the same for the admin
>>     console itself.
>>      
>>
>>
>>         Thanks in advance
>>
>>         Vl.
>>
>>         --
>>         Vlastimil Elias
>>         Principal Software Engineer
>>         Developer Portal Engineering Team
>>
>>
>>
>>         _______________________________________________
>>         keycloak-user mailing list
>>         keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
>     -- 
>     Vlastimil Elias
>     Principal Software Engineer
>     Developer Portal Engineering Team
>
>

-- 
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151127/d1656c44/attachment.html

More information about the keycloak-dev mailing list