[keycloak-dev] [keycloak-user] How to implement long user sso sessions with reauthentication for important actions?

Fri Nov 27 06:22:18 EST 2015

Initially when you proposed this feature I underestimated how complicated
it would be as well. Reading the discussion on the issue you created I've
got a few comments:

* We need a new flow - users could want to require re-auth with password,
or with totp, or with both, etc..
* There's probably quite a few corner cases to cover - you've already
mentioned a few

It's a very nice to have feature, but I doubt have time to work on it for
1.8.

Is it something we can post-pone to 2.x or do you really need it now?

On 27 November 2015 at 11:05, Vlastimil Elias <velias at redhat.com> wrote:

> Hi,
>
> moving this discussion to the devel forum as it is about the feture
> development now.
>
> Toplevel issue I created for this feature is
> https://issues.jboss.org/browse/KEYCLOAK-2076
>
> I added some notes and thoughts from my investigation as a comment to the
> KEYCLOAK-2076, there are some open questions how to implement it.
>
> Originally I though I should be able to implement reauth support and
> provide PR.
> But I must say I'm not sure now if I'm able to implement it, looks like it
> is a bit more complicated than I originally expected, so probably some
> Keycloak core developer should do it.
> But if you think you will not have resources to do it in 1.8 then I can
> try it (with your support), as I believe it is a very important feature,
> and we really want use it.
>
> Cheers
>
> Vlastimil
>
>
>
>
> On 12.11.2015 14:50, Stian Thorgersen wrote:
>
>
>
> On 12 November 2015 at 14:49, Vlastimil Elias < <velias at redhat.com>
> velias at redhat.com> wrote:
>
>> Thanks for quick reply Stian.
>>
>> I'm going to create JIRAs for all these things. I can volunter to
>> implement some parts of this.
>>
>> For the last one, it should be probably cool to have "reauthenticate
>> timeout" setting available in client section for every client (not only
>> internal admin console and account management). It should allow simple
>> implementation of "long user sso session" scheme even in environments where
>> some clients can't be updated to set max_age on protocol level.
>>
>
> Yep, that makes sense
>
>
>>
>> Vl.
>>
>>
>> On 12.11.2015 14:39, Stian Thorgersen wrote:
>>
>>
>>
>> On 12 November 2015 at 14:15, Vlastimil Elias < <velias at redhat.com>
>> velias at redhat.com> wrote:
>>
>>> Hi,
>>>
>>> I'd like to use long session authentication mechanism known from many
>>> sites like google. facebook, linked in etc.
>>> It is about really long user SSO sessions (eg. weeks or even months)
>>> with reauthentication for important actions when last authentication
>>> timestamp is older than some limit.
>>>
>>> Is this somehow possible with current Keycloak server and Keycloak
>>> adapters?
>>>
>>> I see few subquestions in this problem for our use:
>>>
>>> *****
>>> open-id connect protocol defines few auth request parameters to support
>>> this use case, mainly max_age or prompt=login. Are they correctly
>>> implemented in Keycloak server?
>>>
>>
>> We don't have support for max_age and we only support prompt=none so
>> these would have to be added
>>
>>
>>>
>>>
>>> *****
>>> Wildfly/EAP adapter - is it possible and is there some example how to
>>> use "reauth if auth is older than 30min" action in Java app secured by
>>> this adapter? Or is info about last auth timestamp somehow available in
>>> the app?
>>>
>>
>> We don't set auth_time claim ATM so answer is no
>>
>>
>>>
>>>
>>> *****
>>> Keycloak user account application itself - it is part of the Keycloak
>>> server, but it contains sensitive actions which typically require
>>> reathentication in this long session scheme (password change, email
>>> change, ...). Is it somehow possible to configure Keycloak to force
>>> timeout reauth for this app?
>>>
>>
>> Not at the moment - but if we add what you want it would also make sense
>> to add that. Would need to be configurable through the admin console. Would
>> also be nice to have the same for the admin console itself.
>>
>>
>>>
>>> Thanks in advance
>>>
>>> Vl.
>>>
>>> --
>>> Vlastimil Elias
>>> Principal Software Engineer
>>> Developer Portal Engineering Team
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>> --
>> Vlastimil Elias
>> Principal Software Engineer
>> Developer Portal Engineering Team
>>
>>
>
> --
> Vlastimil Elias
> Principal Software Engineer
> Developer Portal Engineering Team
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151127/31a1bca7/attachment.html 