<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">I’ve created a jira task for that:<div class=""><a href="https://issues.jboss.org/browse/KEYCLOAK-1949" class="">https://issues.jboss.org/browse/KEYCLOAK-1949</a><br class=""><div apple-content-edited="true" class="">
<div class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><div class=""><br class=""></div></div><div class="">I already did an implementation proposal of that task, what do you think of it?</div><div class="">https://github.com/gerbermichi/keycloak/commit/0ef36f0ac446fcf70272f2aed05320c3a5083635</div><div class=""><br class=""></div></div></div></div><div><blockquote type="cite" class=""><div class="">On 09.10.2015, at 07:46, Michael Gerber <gerbermichi@me.com> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class=""><div class="">As far as I understand it, we just have to create a new authenticator, check for the id_token_hint, if it is valid than we set the authenticated user, otherwise we send attempted.</div><div class=""><br class=""></div><div class="">I can create a PR for that if it is that simple ;)</div><div class=""><br class="">Am 09. Oktober 2015 um 07:41 schrieb Stian Thorgersen <sthorger@redhat.com>:<br class=""><br class=""></div><div class=""><blockquote type="cite" class=""><div class="msg-quote"><div dir="ltr" class="">It wasn't on our road map, but it looks easy to add</div><div class="gmail_extra"><br class=""><div class="gmail_quote">On 9 October 2015 at 07:16, Michael Gerber <span dir="ltr" class=""><<a href="mailto:gerbermichi@me.com" data-mce-href="mailto:gerbermichi@me.com" class="">gerbermichi@me.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin: 0 0 0 0.8ex ; border-left: 1px #ccc solid ; padding-left: 1ex" data-mce-style="margin: 0 0 0 0.8ex; border-left: 1px #ccc solid; padding-left: 1ex;"><div class=""><div class=""><span style="background-color: rgba(255 , 255 , 255 , 0)" data-mce-style="background-color: rgba(255 , 255 , 255 , 0);" class="">Hi,</span><span style="background-color: rgba(255 , 255 , 255 , 0)" data-mce-style="background-color: rgba(255 , 255 , 255 , 0);" class=""><br class=""></span><span style="background-color: rgba(255 , 255 , 255 , 0)" data-mce-style="background-color: rgba(255 , 255 , 255 , 0);" class="">Do you have any plans to include the id_token_hint in the near future?</span><span style="background-color: rgba(255 , 255 , 255 , 0)" data-mce-style="background-color: rgba(255 , 255 , 255 , 0);" class=""><br class=""></span><span style="background-color: rgba(255 , 255 , 255 , 0)" data-mce-style="background-color: rgba(255 , 255 , 255 , 0);" class="">id_token_hint</span><span style="background-color: rgba(255 , 255 , 255 , 0)" data-mce-style="background-color: rgba(255 , 255 , 255 , 0);" class="">OPTIONAL. ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client. If the End-User identified by the ID Token is logged in or is logged in by the request, then the Authorization Server returns a positive response; otherwise, it SHOULD return an error, such as <tt class="">login_required</tt>. When possible, an <tt class="">id_token_hint</tt> SHOULD be present when <tt class="">prompt=none</tt> is used and an <tt class="">invalid_request</tt> error MAY be returned if it is not; however, the server SHOULD respond successfully when possible, even if it is not present. The Authorization Server need not be listed as an audience of the ID Token when it is used as an <tt class="">id_token_hint</tt> value.</span><span style="background-color: rgba(255 , 255 , 255 , 0)" data-mce-style="background-color: rgba(255 , 255 , 255 , 0);" class="">If the ID Token received by the RP from the OP is encrypted, to use it as an <tt class="">id_token_hint</tt>, the Client MUST decrypt the signed ID Token contained within the encrypted ID Token. The Client MAY re-encrypt the signed ID token to the Authentication Server using a key that enables the server to decrypt the ID Token, and use the re-encrypted ID token as the <tt class="">id_token_hint</tt> value.</span><br class="">Best</div><div class="">Michael</div></div><br class="">_______________________________________________<br class=""> keycloak-dev mailing list<br class=""> <a href="mailto:keycloak-dev@lists.jboss.org" data-mce-href="mailto:keycloak-dev@lists.jboss.org" class="">keycloak-dev@lists.jboss.org</a><br class=""> <a rel="noreferrer" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" class="">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br class=""></blockquote></div><br class=""></div></div></blockquote></div></div>_______________________________________________<br class="">keycloak-dev mailing list<br class="">keycloak-dev@lists.jboss.org<br class="">https://lists.jboss.org/mailman/listinfo/keycloak-dev</div></blockquote></div><br class=""></div></body></html>