<div dir="ltr">Current flow checks if cookie is there and if it is it's all happy. We'd need a different flow that can require the re-auth to take place even if cookie is there. Also, with re-auth flow user should be able to cancel or just navigate away and continue using the session as if nothing has happend (with the other apps that's happy with the old session that is)</div><div class="gmail_extra"><br><div class="gmail_quote">On 27 November 2015 at 13:51, Vlastimil Elias <span dir="ltr"><<a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span class="">
<br>
<br>
<div>On 27.11.2015 13:46, Stian Thorgersen
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 27 November 2015 at 13:36,
Vlastimil Elias <span dir="ltr"><<a href="mailto:velias@redhat.com" target="_blank"></a><a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span> <br>
<br>
<div>On 27.11.2015 12:22, Stian Thorgersen wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Initially when you proposed this
feature I underestimated how complicated it would
be as well. Reading the discussion on the issue
you created I've got a few comments:
<div><br>
</div>
<div>* We need a new flow - users could want to
require re-auth with password, or with totp, or
with both, etc..</div>
</div>
</blockquote>
</span> Agree, but at least first step must be same with
Browser flow - check of cookie, and then redirect to
another flow if necessary. Not sure if current flow
engine supports this.</div>
</blockquote>
<div><br>
</div>
<div>Current browser flow would just automatically log-in as
the cookie is there</div>
</div>
</div>
</div>
</blockquote>
<br></span>
yep, but new Reauthentication flow must also check if user is logged
in currently (over cookie). If not logged in then it should go to
current Browser flow to login him. If logged in then it must
continue in Reathentication flow. So check "is user currently logged
in?" should be same for both flows.<br>
<br>
Vl<div><div class="h5"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>* There's probably quite a few corner cases
to cover - you've already mentioned a few</div>
<div><br>
</div>
<div>It's a very nice to have feature, but I doubt
have time to work on it for 1.8.</div>
<div><br>
</div>
<div>Is it something we can post-pone to 2.x or do
you really need it now?</div>
</div>
</blockquote>
<br>
</span> We do not need it just now, but should be cool
to have it in some reasonable time (half of year?). <br>
Not sure when you plan to start work on 2.x, probably
sometime around half of next year?<br>
<br>
As it is really complex then we probably should break it
into smaller chunks and implement it per partes over the
releases. I can imagine first version with basic flow
support with Form password auth only, then add other
parts like support for Identity Brokers, OTP, Kerberos,
required actions etc. <br>
<br>
Vl.
<div>
<div><br>
<br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 27 November 2015 at
11:05, Vlastimil Elias <span dir="ltr"><<a href="mailto:velias@redhat.com" target="_blank"></a><a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi,<br>
<br>
moving this discussion to the devel forum
as it is about the feture development now.
<br>
<br>
Toplevel issue I created for this feature
is <a href="https://issues.jboss.org/browse/KEYCLOAK-2076" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-2076</a><br>
<br>
I added some notes and thoughts from my
investigation as a comment to the
KEYCLOAK-2076, there are some open
questions how to implement it.<br>
<br>
Originally I though I should be able to
implement reauth support and provide PR. <br>
But I must say I'm not sure now if I'm
able to implement it, looks like it is a
bit more complicated than I originally
expected, so probably some Keycloak core
developer should do it. <br>
But if you think you will not have
resources to do it in 1.8 then I can try
it (with your support), as I believe it is
a very important feature, and we really
want use it.<br>
<br>
Cheers<span><font color="#888888"><br>
<br>
Vlastimil</font></span>
<div>
<div><br>
<br>
<br>
<br>
<div>On 12.11.2015 14:50, Stian
Thorgersen wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 12
November 2015 at 14:49,
Vlastimil Elias <span dir="ltr"><<a href="mailto:velias@redhat.com" target="_blank"></a><a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Thanks
for quick reply Stian. <br>
<br>
I'm going to create JIRAs
for all these things. I
can volunter to implement
some parts of this.<br>
<br>
For the last one, it
should be probably cool to
have "reauthenticate
timeout" setting available
in client section for
every client (not only
internal admin console and
account management). It
should allow simple
implementation of "long
user sso session" scheme
even in environments where
some clients can't be
updated to set max_age on
protocol level.<br>
</div>
</blockquote>
<div><br>
</div>
<div>Yep, that makes sense</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> <br>
Vl.
<div>
<div><br>
<br>
<div>On 12.11.2015
14:39, Stian
Thorgersen wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
12 November
2015 at 14:15,
Vlastimil
Elias <span dir="ltr"><<a href="mailto:velias@redhat.com" target="_blank"></a><a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hi,<br>
<br>
I'd like to
use long
session
authentication
mechanism
known from
many<br>
sites like
google.
facebook,
linked in etc.<br>
It is about
really long
user SSO
sessions (eg.
weeks or even
months)<br>
with
reauthentication
for important
actions when
last
authentication<br>
timestamp is
older than
some limit.<br>
<br>
Is this
somehow
possible with
current
Keycloak
server and
Keycloak
adapters?<br>
<br>
I see few
subquestions
in this
problem for
our use:<br>
<br>
*****<br>
open-id
connect
protocol
defines few
auth request
parameters to
support<br>
this use case,
mainly max_age
or
prompt=login.
Are they
correctly<br>
implemented in
Keycloak
server?<br>
</blockquote>
<div><br>
</div>
<div>We don't
have support
for max_age
and we only
support prompt=none
so these would
have to be
added</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
<br>
*****<br>
Wildfly/EAP
adapter - is
it possible
and is there
some example
how to<br>
use "reauth if
auth is older
than 30min"
action in Java
app secured by<br>
this adapter?
Or is info
about last
auth timestamp
somehow
available in<br>
the app?<br>
</blockquote>
<div><br>
</div>
<div>We don't
set auth_time
claim ATM so
answer is no</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
<br>
*****<br>
Keycloak user
account
application
itself - it is
part of the
Keycloak<br>
server, but it
contains
sensitive
actions which
typically
require<br>
reathentication
in this long
session scheme
(password
change, email<br>
change, ...).
Is it somehow
possible to
configure
Keycloak to
force<br>
timeout reauth
for this app?<br>
</blockquote>
<div><br>
</div>
<div>Not at
the moment -
but if we add
what you want
it would also
make sense to
add that.
Would need to
be
configurable
through the
admin console.
Would also be
nice to have
the same for
the admin
console
itself.</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
Thanks in
advance<br>
<br>
Vl.<br>
<span><font color="#888888"><br>
--<br>
Vlastimil
Elias<br>
Principal
Software
Engineer<br>
Developer
Portal
Engineering
Team<br>
<br>
<br>
<br>
_______________________________________________<br>
keycloak-user
mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank"></a><a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank"></a><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</font></span></blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<pre cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<pre cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<pre cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</div></div></div>
</blockquote></div><br></div>