[keycloak-dev] id_token_hint

Stian Thorgersen sthorger at redhat.com
Mon Oct 12 02:21:34 EDT 2015


I need some time to look into the use of id_token_hint as I'm not sure I
fully understand it. From what I've read so far I don't think the user
should be authenticated from the id_token_hint so no authenticator should
be required. It's only about checking the current logged-in user and seeing
if it's the same user has the application expects.

On 11 October 2015 at 17:34, Michael Gerber <gerbermichi at me.com> wrote:

> I’ve created a jira task for that:
> https://issues.jboss.org/browse/KEYCLOAK-1949
>
> I already did an implementation proposal of that task, what do you think
> of it?
>
> https://github.com/gerbermichi/keycloak/commit/0ef36f0ac446fcf70272f2aed05320c3a5083635
>
> On 09.10.2015, at 07:46, Michael Gerber <gerbermichi at me.com> wrote:
>
> As far as I understand it, we just have to create a new authenticator,
> check for the id_token_hint, if it is valid than we set the authenticated
> user, otherwise we send attempted.
>
> I can create a PR for that if it is that simple ;)
>
> Am 09. Oktober 2015 um 07:41 schrieb Stian Thorgersen <sthorger at redhat.com
> >:
>
> It wasn't on our road map, but it looks easy to add
>
> On 9 October 2015 at 07:16, Michael Gerber <gerbermichi at me.com> wrote:
>
>> Hi,
>> Do you have any plans to include the id_token_hint in the near future?
>> id_token_hintOPTIONAL. ID Token previously issued by the Authorization
>> Server being passed as a hint about the End-User's current or past
>> authenticated session with the Client. If the End-User identified by the ID
>> Token is logged in or is logged in by the request, then the Authorization
>> Server returns a positive response; otherwise, it SHOULD return an error,
>> such as login_required. When possible, an id_token_hint SHOULD be
>> present when prompt=none is used and an invalid_request error MAY be
>> returned if it is not; however, the server SHOULD respond successfully when
>> possible, even if it is not present. The Authorization Server need not be
>> listed as an audience of the ID Token when it is used as an id_token_hint
>>  value.If the ID Token received by the RP from the OP is encrypted, to
>> use it as an id_token_hint, the Client MUST decrypt the signed ID Token
>> contained within the encrypted ID Token. The Client MAY re-encrypt the
>> signed ID token to the Authentication Server using a key that enables the
>> server to decrypt the ID Token, and use the re-encrypted ID token as the
>> id_token_hint value.
>> Best
>> Michael
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151012/eae2fa75/attachment.html 


More information about the keycloak-dev mailing list