[keycloak-dev] Thinking about step-up authentication and token timeouts

[Bill Burke]

Sounds great.  I hope we don't have to implement this for SAML too ;)

On 4/29/2016 12:02 AM, Stian Thorgersen wrote:
> Clients should be able to obtain tokens with reduced scope and longer 
> or shorter expiration, then later request new tokens with increased 
> scope and different expiration. They should also be able to require 
> different levels of authentication and also require re-authentication.
>
> An application may for example:
>
> * At first only need users email - this would allow showing the name + 
> email. In this situation a long expiration access token in combination 
> with implicit flow would do. It's also not necessary to 
> re-authenticate the user and a user that has been logged-in for months 
> or even a year is fine.
>
> * When a user clicks on orders it would require the password and 
> extend scope to be able to view orders. Now you'll want to switch to 
> short expiration access tokens and authorization code grant. You'll 
> also want to make sure the user logged-in fairly recently, max 30 days 
> could be sensible.
>
> * When a user tries to purchase something the user now has to provide 
> the OTP to be able to purchase with saved credit card details. You'll 
> also want to make sure the user logged-in very recently, max a day 
> could be required. There may also be cases where you always want the 
> user to re-authenticate, for example when trying to purchase something 
> over a certain price level.
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160429/f4cb0018/attachment.html