[keycloak-dev] questions on Marek/Hynek presentation

Bill Burke bburke at redhat.com
Fri May 19 10:19:13 EDT 2017

* Won't the regular case be that the load balancer generates the 
affinity cookie or doesn't have a cookie at all?  HA-Proxy is quite 
popular and they have both options.

* @ 18:25 in bluejeans session, The "You are already logged in" screen.  
What happens when the use clicks "proceed"?  Does the SAML or OIDC 
request continue as normal? Or are you calculating the URI on the 
application to redirect to, if so, why?

On Action Tokens:

* What is the relationship between the RequiredAction SPI and 
ActionTokenHandler SPI?  Does every RequiredAction have to have a 
corresponding ActionTokenHandler?

* Why would a app developer need to implement an ActionTokenHandler?  
Wouldn't it be better for the Required Action SPI to provide the 
appropriate metadata so that the handler could be implemented by us?  
i.e. isOneTimeToken, email-template, etc, etc.  I guess what I'm saying 
is that action tokens should be incorporated into the RequiredAction SPI.

* Related to above.  Required actions should be able to specify an 
"admin console template" and "login template".  These would be the 
freemarker template to use to create the email that is sent to the 
user.  "admin console" would be from an admin generating the action.  
"login" would be when user login initiates the action email.

* On the Admin Console "Credential Reset" section.  Required Action 
emails (now Action tokens) aren't necessarily "Credential Resets".  
Verify email is not a credential reset. etc. This need to be renamed and 
maybe put in another tab?

* We will need a way to offload action processing to another external 
service.  keycloak exists to mark that the action was completed, but all 
the processing for the action happens in an external application.  A lot 
of people have existing applications they want to integrate with that 
perform action processing.  Just something to think about.  We need this 
for other areas of keycloak (i.e. registration).

More information about the keycloak-dev mailing list