<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 27.11.2015 12:22, Stian Thorgersen
wrote:<br>
</div>
<blockquote
cite="mid:CAJgngAd6TSu-w9bcrSygCoF68kNn7sLXqTJTa9X01JnOr1W6wA@mail.gmail.com"
type="cite">
<div dir="ltr">Initially when you proposed this feature I
underestimated how complicated it would be as well. Reading the
discussion on the issue you created I've got a few comments:
<div><br>
</div>
<div>* We need a new flow - users could want to require re-auth
with password, or with totp, or with both, etc..</div>
</div>
</blockquote>
Agree, but at least first step must be same with Browser flow -
check of cookie, and then redirect to another flow if necessary. Not
sure if current flow engine supports this.<br>
<br>
<blockquote
cite="mid:CAJgngAd6TSu-w9bcrSygCoF68kNn7sLXqTJTa9X01JnOr1W6wA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>* There's probably quite a few corner cases to cover -
you've already mentioned a few</div>
<div><br>
</div>
<div>It's a very nice to have feature, but I doubt have time to
work on it for 1.8.</div>
<div><br>
</div>
<div>Is it something we can post-pone to 2.x or do you really
need it now?</div>
</div>
</blockquote>
<br>
We do not need it just now, but should be cool to have it in some
reasonable time (half of year?). <br>
Not sure when you plan to start work on 2.x, probably sometime
around half of next year?<br>
<br>
As it is really complex then we probably should break it into
smaller chunks and implement it per partes over the releases. I can
imagine first version with basic flow support with Form password
auth only, then add other parts like support for Identity Brokers,
OTP, Kerberos, required actions etc. <br>
<br>
Vl.<br>
<br>
<blockquote
cite="mid:CAJgngAd6TSu-w9bcrSygCoF68kNn7sLXqTJTa9X01JnOr1W6wA@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 27 November 2015 at 11:05, Vlastimil
Elias <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi,<br>
<br>
moving this discussion to the devel forum as it is about
the feture development now. <br>
<br>
Toplevel issue I created for this feature is <a
moz-do-not-send="true"
href="https://issues.jboss.org/browse/KEYCLOAK-2076"
target="_blank"><a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/KEYCLOAK-2076">https://issues.jboss.org/browse/KEYCLOAK-2076</a></a><br>
<br>
I added some notes and thoughts from my investigation as a
comment to the KEYCLOAK-2076, there are some open
questions how to implement it.<br>
<br>
Originally I though I should be able to implement reauth
support and provide PR. <br>
But I must say I'm not sure now if I'm able to implement
it, looks like it is a bit more complicated than I
originally expected, so probably some Keycloak core
developer should do it. <br>
But if you think you will not have resources to do it in
1.8 then I can try it (with your support), as I believe it
is a very important feature, and we really want use it.<br>
<br>
Cheers<span class="HOEnZb"><font color="#888888"><br>
<br>
Vlastimil</font></span>
<div>
<div class="h5"><br>
<br>
<br>
<br>
<div>On 12.11.2015 14:50, Stian Thorgersen wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 12 November 2015 at
14:49, Vlastimil Elias <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:velias@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:velias@redhat.com">velias@redhat.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Thanks for quick reply Stian. <br>
<br>
I'm going to create JIRAs for all these
things. I can volunter to implement some
parts of this.<br>
<br>
For the last one, it should be probably
cool to have "reauthenticate timeout"
setting available in client section for
every client (not only internal admin
console and account management). It should
allow simple implementation of "long user
sso session" scheme even in environments
where some clients can't be updated to set
max_age on protocol level.<br>
</div>
</blockquote>
<div><br>
</div>
<div>Yep, that makes sense</div>
<div> </div>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> <br>
Vl.
<div>
<div><br>
<br>
<div>On 12.11.2015 14:39, Stian
Thorgersen wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 12
November 2015 at 14:15,
Vlastimil Elias <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:velias@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:velias@redhat.com">velias@redhat.com</a></a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hi,<br>
<br>
I'd like to use long session
authentication mechanism
known from many<br>
sites like google. facebook,
linked in etc.<br>
It is about really long user
SSO sessions (eg. weeks or
even months)<br>
with reauthentication for
important actions when last
authentication<br>
timestamp is older than some
limit.<br>
<br>
Is this somehow possible
with current Keycloak server
and Keycloak adapters?<br>
<br>
I see few subquestions in
this problem for our use:<br>
<br>
*****<br>
open-id connect protocol
defines few auth request
parameters to support<br>
this use case, mainly
max_age or prompt=login. Are
they correctly<br>
implemented in Keycloak
server?<br>
</blockquote>
<div><br>
</div>
<div>We don't have support for
max_age and we only
support prompt=none so these
would have to be added</div>
<div> </div>
<blockquote
class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
<br>
*****<br>
Wildfly/EAP adapter - is it
possible and is there some
example how to<br>
use "reauth if auth is older
than 30min" action in Java
app secured by<br>
this adapter? Or is info
about last auth timestamp
somehow available in<br>
the app?<br>
</blockquote>
<div><br>
</div>
<div>We don't set auth_time
claim ATM so answer is no</div>
<div> </div>
<blockquote
class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
<br>
*****<br>
Keycloak user account
application itself - it is
part of the Keycloak<br>
server, but it contains
sensitive actions which
typically require<br>
reathentication in this long
session scheme (password
change, email<br>
change, ...). Is it somehow
possible to configure
Keycloak to force<br>
timeout reauth for this app?<br>
</blockquote>
<div><br>
</div>
<div>Not at the moment - but
if we add what you want it
would also make sense to add
that. Would need to be
configurable through the
admin console. Would also be
nice to have the same for
the admin console itself.</div>
<div> </div>
<blockquote
class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
Thanks in advance<br>
<br>
Vl.<br>
<span><font color="#888888"><br>
--<br>
Vlastimil Elias<br>
Principal Software
Engineer<br>
Developer Portal
Engineering Team<br>
<br>
<br>
<br>
_______________________________________________<br>
keycloak-user mailing
list<br>
<a
moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></a><br>
<a
moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer"
target="_blank"><a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></a><br>
</font></span></blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<pre cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<pre cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</body>
</html>