<div dir="ltr">Initially when you proposed this feature I underestimated how complicated it would be as well. Reading the discussion on the issue you created I've got a few comments:<div><br></div><div>* We need a new flow - users could want to require re-auth with password, or with totp, or with both, etc..</div><div>* There's probably quite a few corner cases to cover - you've already mentioned a few</div><div><br></div><div>It's a very nice to have feature, but I doubt have time to work on it for 1.8.</div><div><br></div><div>Is it something we can post-pone to 2.x or do you really need it now?</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 27 November 2015 at 11:05, Vlastimil Elias <span dir="ltr"><<a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Hi,<br>
<br>
moving this discussion to the devel forum as it is about the feture
development now. <br>
<br>
Toplevel issue I created for this feature is
<a href="https://issues.jboss.org/browse/KEYCLOAK-2076" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-2076</a><br>
<br>
I added some notes and thoughts from my investigation as a comment
to the KEYCLOAK-2076, there are some open questions how to implement
it.<br>
<br>
Originally I though I should be able to implement reauth support and
provide PR. <br>
But I must say I'm not sure now if I'm able to implement it, looks
like it is a bit more complicated than I originally expected, so
probably some Keycloak core developer should do it. <br>
But if you think you will not have resources to do it in 1.8 then I
can try it (with your support), as I believe it is a very important
feature, and we really want use it.<br>
<br>
Cheers<span class="HOEnZb"><font color="#888888"><br>
<br>
Vlastimil</font></span><div><div class="h5"><br>
<br>
<br>
<br>
<div>On 12.11.2015 14:50, Stian Thorgersen
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 12 November 2015 at 14:49,
Vlastimil Elias <span dir="ltr"><<a href="mailto:velias@redhat.com" target="_blank"></a><a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Thanks for quick
reply Stian. <br>
<br>
I'm going to create JIRAs for all these things. I can
volunter to implement some parts of this.<br>
<br>
For the last one, it should be probably cool to have
"reauthenticate timeout" setting available in client
section for every client (not only internal admin
console and account management). It should allow simple
implementation of "long user sso session" scheme even in
environments where some clients can't be updated to set
max_age on protocol level.<br>
</div>
</blockquote>
<div><br>
</div>
<div>Yep, that makes sense</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> <br>
Vl.
<div>
<div><br>
<br>
<div>On 12.11.2015 14:39, Stian Thorgersen wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 12 November 2015
at 14:15, Vlastimil Elias <span dir="ltr"><<a href="mailto:velias@redhat.com" target="_blank"></a><a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hi,<br>
<br>
I'd like to use long session
authentication mechanism known from many<br>
sites like google. facebook, linked in
etc.<br>
It is about really long user SSO sessions
(eg. weeks or even months)<br>
with reauthentication for important
actions when last authentication<br>
timestamp is older than some limit.<br>
<br>
Is this somehow possible with current
Keycloak server and Keycloak adapters?<br>
<br>
I see few subquestions in this problem for
our use:<br>
<br>
*****<br>
open-id connect protocol defines few auth
request parameters to support<br>
this use case, mainly max_age or
prompt=login. Are they correctly<br>
implemented in Keycloak server?<br>
</blockquote>
<div><br>
</div>
<div>We don't have support for max_age and
we only support prompt=none so these would
have to be added</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
<br>
*****<br>
Wildfly/EAP adapter - is it possible and
is there some example how to<br>
use "reauth if auth is older than 30min"
action in Java app secured by<br>
this adapter? Or is info about last auth
timestamp somehow available in<br>
the app?<br>
</blockquote>
<div><br>
</div>
<div>We don't set auth_time claim ATM so
answer is no</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
<br>
*****<br>
Keycloak user account application itself -
it is part of the Keycloak<br>
server, but it contains sensitive actions
which typically require<br>
reathentication in this long session
scheme (password change, email<br>
change, ...). Is it somehow possible to
configure Keycloak to force<br>
timeout reauth for this app?<br>
</blockquote>
<div><br>
</div>
<div>Not at the moment - but if we add what
you want it would also make sense to add
that. Would need to be configurable
through the admin console. Would also be
nice to have the same for the admin
console itself.</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
Thanks in advance<br>
<br>
Vl.<br>
<span><font color="#888888"><br>
--<br>
Vlastimil Elias<br>
Principal Software Engineer<br>
Developer Portal Engineering Team<br>
<br>
<br>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</font></span></blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<pre cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<pre cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</div></div></div>
</blockquote></div><br></div>