[keycloak-dev] per-client authentication flows
Stian Thorgersen
sthorger at redhat.com
Mon Jan 22 13:21:22 EST 2018
On 22 January 2018 at 16:17, Bill Burke <bburke at redhat.com> wrote:
> On Mon, Jan 22, 2018 at 2:48 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
> > I missed the part about code grant flow being used regardless. Of course
> the
> > spec doesn't even mandate the user-agent is a web browser, just says it
> > typically is.
> >
> > I think acr/display (or some other query parameter) vs a different flow
> > boils down to usability. Basically is it simpler to have one "dynamic"
> flow
> > or is it simpler to just have separate flows. I think in most cases
> you're
> > right and it will probably be cleaner and simpler to simply have
> different
> > flows.
> >
> > Did you think about including this new flow OOTB? Is it OSIN specific or
> is
> > it a generic non-web version of the regular web based flow?
> >
>
> I want to reorganize auth flows a bit so that we can catagorize them
> and provide a plugin mechanism so the admin console can dynamically
> show which flows can be configured (browser, direct grant, ecp,
> etc..). There's a lot to be done here, but probably just putting in
> enough at the moment to get the OSIN replacement going.
>
> > Another thing is the user-agent always controlled by the client? Or
> could a
> > single client have different user-agents.
> >
>
> They don't really have that concept. There's a client config variable
> "respondWithChallenges". When set, server responds with 401
> challenges.
>
I was also wondering if other (non OSIN) clients would want to use more
than one flow, but probably not.
>
>
>
>
> --
> Bill Burke
> Red Hat
>
More information about the keycloak-dev
mailing list