<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 27 November 2015 at 13:36, Vlastimil Elias <span dir="ltr">&lt;<a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF"><span class="">
    <br>
    <br>
    <div>On 27.11.2015 12:22, Stian Thorgersen
      wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">Initially when you proposed this feature I
        underestimated how complicated it would be as well. Reading the
        discussion on the issue you created I&#39;ve got a few comments:
        <div><br>
        </div>
        <div>* We need a new flow - users could want to require re-auth
          with password, or with totp, or with both, etc..</div>
      </div>
    </blockquote></span>
    Agree, but at least first step must be same with Browser flow -
    check of cookie, and then redirect to another flow if necessary. Not
    sure if current flow engine supports this.</div></blockquote><div><br></div><div>Current browser flow would just automatically log-in as the cookie is there</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF"><span class=""><br>
    <br>
    <blockquote type="cite">
      <div dir="ltr">
        <div>* There&#39;s probably quite a few corner cases to cover -
          you&#39;ve already mentioned a few</div>
        <div><br>
        </div>
        <div>It&#39;s a very nice to have feature, but I doubt have time to
          work on it for 1.8.</div>
        <div><br>
        </div>
        <div>Is it something we can post-pone to 2.x or do you really
          need it now?</div>
      </div>
    </blockquote>
    <br></span>
    We do not need it just now, but should be cool to have it in some
    reasonable time (half of year?). <br>
    Not sure when you plan to start work on 2.x, probably sometime
    around half of next year?<br>
    <br>
    As it is really complex then we probably should break it into
    smaller chunks and implement it per partes over the releases. I can
    imagine first version with basic flow support with Form password
    auth only, then add other parts like support for Identity Brokers,
    OTP, Kerberos, required actions etc. <br>
    <br>
    Vl.<div><div class="h5"><br>
    <br>
    <blockquote type="cite">
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On 27 November 2015 at 11:05, Vlastimil
          Elias <span dir="ltr">&lt;<a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>&gt;</span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div text="#000000" bgcolor="#FFFFFF"> Hi,<br>
              <br>
              moving this discussion to the devel forum as it is about
              the feture development now. <br>
              <br>
              Toplevel issue I created for this feature is <a href="https://issues.jboss.org/browse/KEYCLOAK-2076" target="_blank"></a><a href="https://issues.jboss.org/browse/KEYCLOAK-2076" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-2076</a><br>
              <br>
              I added some notes and thoughts from my investigation as a
              comment to the KEYCLOAK-2076, there are some open
              questions how to implement it.<br>
              <br>
              Originally I though I should be able to implement reauth
              support and provide PR. <br>
              But I must say I&#39;m not sure now if I&#39;m able to implement
              it, looks like it is a bit more complicated than I
              originally expected, so probably some Keycloak core
              developer should do it. <br>
              But if you think you will not have resources to do it in
              1.8 then I can try it (with your support), as I believe it
              is a very important feature, and we really want use it.<br>
              <br>
              Cheers<span><font color="#888888"><br>
                  <br>
                  Vlastimil</font></span>
              <div>
                <div><br>
                  <br>
                  <br>
                  <br>
                  <div>On 12.11.2015 14:50, Stian Thorgersen wrote:<br>
                  </div>
                  <blockquote type="cite">
                    <div dir="ltr"><br>
                      <div class="gmail_extra"><br>
                        <div class="gmail_quote">On 12 November 2015 at
                          14:49, Vlastimil Elias <span dir="ltr">&lt;<a href="mailto:velias@redhat.com" target="_blank"></a><a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>&gt;</span>
                          wrote:<br>
                          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                            <div text="#000000" bgcolor="#FFFFFF">
                              Thanks for quick reply Stian. <br>
                              <br>
                              I&#39;m going to create JIRAs for all these
                              things. I can volunter to implement some
                              parts of this.<br>
                              <br>
                              For the last one, it should be probably
                              cool to have &quot;reauthenticate timeout&quot;
                              setting available in client section for
                              every client (not only internal admin
                              console and account management). It should
                              allow simple implementation of &quot;long user
                              sso session&quot; scheme even in environments
                              where some clients can&#39;t be updated to set
                              max_age on protocol level.<br>
                            </div>
                          </blockquote>
                          <div><br>
                          </div>
                          <div>Yep, that makes sense</div>
                          <div> </div>
                          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                            <div text="#000000" bgcolor="#FFFFFF"> <br>
                              Vl.
                              <div>
                                <div><br>
                                  <br>
                                  <div>On 12.11.2015 14:39, Stian
                                    Thorgersen wrote:<br>
                                  </div>
                                  <blockquote type="cite">
                                    <div dir="ltr"><br>
                                      <div class="gmail_extra"><br>
                                        <div class="gmail_quote">On 12
                                          November 2015 at 14:15,
                                          Vlastimil Elias <span dir="ltr">&lt;<a href="mailto:velias@redhat.com" target="_blank"></a><a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>&gt;</span>
                                          wrote:<br>
                                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hi,<br>
                                            <br>
                                            I&#39;d like to use long session
                                            authentication mechanism
                                            known from many<br>
                                            sites like google. facebook,
                                            linked in etc.<br>
                                            It is about really long user
                                            SSO sessions (eg. weeks or
                                            even months)<br>
                                            with reauthentication for
                                            important actions when last
                                            authentication<br>
                                            timestamp is older than some
                                            limit.<br>
                                            <br>
                                            Is this somehow possible
                                            with current Keycloak server
                                            and Keycloak adapters?<br>
                                            <br>
                                            I see few subquestions in
                                            this problem for our use:<br>
                                            <br>
                                            *****<br>
                                            open-id connect protocol
                                            defines few auth request
                                            parameters to support<br>
                                            this use case, mainly
                                            max_age or prompt=login. Are
                                            they correctly<br>
                                            implemented in Keycloak
                                            server?<br>
                                          </blockquote>
                                          <div><br>
                                          </div>
                                          <div>We don&#39;t have support for
                                            max_age and we only
                                            support prompt=none so these
                                            would have to be added</div>
                                          <div> </div>
                                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
                                            <br>
                                            *****<br>
                                            Wildfly/EAP adapter - is it
                                            possible and is there some
                                            example how to<br>
                                            use &quot;reauth if auth is older
                                            than 30min&quot; action in Java
                                            app secured by<br>
                                            this adapter? Or is info
                                            about last auth timestamp
                                            somehow available in<br>
                                            the app?<br>
                                          </blockquote>
                                          <div><br>
                                          </div>
                                          <div>We don&#39;t set auth_time
                                            claim ATM so answer is no</div>
                                          <div> </div>
                                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
                                            <br>
                                            *****<br>
                                            Keycloak user account
                                            application itself - it is
                                            part of the Keycloak<br>
                                            server, but it contains
                                            sensitive actions which
                                            typically require<br>
                                            reathentication in this long
                                            session scheme (password
                                            change, email<br>
                                            change, ...). Is it somehow
                                            possible to configure
                                            Keycloak to force<br>
                                            timeout reauth for this app?<br>
                                          </blockquote>
                                          <div><br>
                                          </div>
                                          <div>Not at the moment - but
                                            if we add what you want it
                                            would also make sense to add
                                            that. Would need to be
                                            configurable through the
                                            admin console. Would also be
                                            nice to have the same for
                                            the admin console itself.</div>
                                          <div> </div>
                                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
                                            Thanks in advance<br>
                                            <br>
                                            Vl.<br>
                                            <span><font color="#888888"><br>
                                                --<br>
                                                Vlastimil Elias<br>
                                                Principal Software
                                                Engineer<br>
                                                Developer Portal
                                                Engineering Team<br>
                                                <br>
                                                <br>
                                                <br>
_______________________________________________<br>
                                                keycloak-user mailing
                                                list<br>
                                                <a href="mailto:keycloak-user@lists.jboss.org" target="_blank"></a><a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
                                                <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank"></a><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
                                              </font></span></blockquote>
                                        </div>
                                        <br>
                                      </div>
                                    </div>
                                  </blockquote>
                                  <br>
                                  <pre cols="72">-- 
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
                                </div>
                              </div>
                            </div>
                          </blockquote>
                        </div>
                        <br>
                      </div>
                    </div>
                  </blockquote>
                  <br>
                  <pre cols="72">-- 
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
    <pre cols="72">-- 
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
  </div></div></div>

</blockquote></div><br></div></div>