[keycloak-dev] make sending a request object mandatory for certain clients

Marek Posolda mposolda at redhat.com
Thu Mar 8 09:25:09 EST 2018


Hi,

sorry to not respond earlier. Your usecase makes sense to me and the 
code you did as well. One minor thing, which is missing, is admin 
console update. I think you need to add new switch to the client details 
page. Please add it to same section like "Advanced config" where are 
other things like request object signature algorithm etc.

Thanks,
Marek

On 06/03/18 20:13, Aron Bustya wrote:
> Hello!
>
> Can I get some reaction to this? (The community guidelines say I need to
> ask around before sending pull requests.)
>
> Regards,
> Áron Bustya
>
> On 2 December 2017 at 04:44, Aron Bustya <aron.bustya.js at gmail.com> wrote:
>
>> Hi!
>>
>> I have a use case where the server must accept authorization requests only
>> when they contain a signed request object (should be configurable per
>> client).
>>
>> I have found a way to make the signing of the request object mandatory by
>> specifying a 'request.object.signature.alg' attribute on the client, but
>> this only applies if a request object exists in the first place.
>>
>> I would like to propose a pull request: It defines a new client attribute
>> 'request.object.required'. If this is set to 'true', the client must send a
>> request object when initiating an authorization request.
>>
>> Current code can be checked here: https://github.com/abustya/
>> keycloak/commit/476912906a3ad0d290220a1f54abee073dba687a
>>
>> What do you think?
>>
>> Regards,
>> Áron Bustya
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev




More information about the keycloak-dev mailing list