<div dir="ltr">Current flow checks if cookie is there and if it is it&#39;s all happy. We&#39;d need a different flow that can require the re-auth to take place even if cookie is there. Also, with re-auth flow user should be able to cancel or just navigate away and continue using the session as if nothing has happend (with the other apps that&#39;s happy with the old session that is)</div><div class="gmail_extra"><br><div class="gmail_quote">On 27 November 2015 at 13:51, Vlastimil Elias <span dir="ltr">&lt;<a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF"><span class="">
    <br>
    <br>
    <div>On 27.11.2015 13:46, Stian Thorgersen
      wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr"><br>
        <div class="gmail_extra"><br>
          <div class="gmail_quote">On 27 November 2015 at 13:36,
            Vlastimil Elias <span dir="ltr">&lt;<a href="mailto:velias@redhat.com" target="_blank"></a><a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>&gt;</span> wrote:<br>
            <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
              <div text="#000000" bgcolor="#FFFFFF"><span> <br>
                  <br>
                  <div>On 27.11.2015 12:22, Stian Thorgersen wrote:<br>
                  </div>
                  <blockquote type="cite">
                    <div dir="ltr">Initially when you proposed this
                      feature I underestimated how complicated it would
                      be as well. Reading the discussion on the issue
                      you created I&#39;ve got a few comments:
                      <div><br>
                      </div>
                      <div>* We need a new flow - users could want to
                        require re-auth with password, or with totp, or
                        with both, etc..</div>
                    </div>
                  </blockquote>
                </span> Agree, but at least first step must be same with
                Browser flow - check of cookie, and then redirect to
                another flow if necessary. Not sure if current flow
                engine supports this.</div>
            </blockquote>
            <div><br>
            </div>
            <div>Current browser flow would just automatically log-in as
              the cookie is there</div>
          </div>
        </div>
      </div>
    </blockquote>
    <br></span>
    yep, but new Reauthentication flow must also check if user is logged
    in currently (over cookie). If not logged in then it should go to
    current Browser flow to login him. If logged in then it must
    continue in Reathentication flow. So check &quot;is user currently logged
    in?&quot; should be same for both flows.<br>
    <br>
    Vl<div><div class="h5"><br>
    <br>
    <blockquote type="cite">
      <div dir="ltr">
        <div class="gmail_extra">
          <div class="gmail_quote">
            <div> </div>
            <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
              <div text="#000000" bgcolor="#FFFFFF"><span><br>
                  <br>
                  <blockquote type="cite">
                    <div dir="ltr">
                      <div>* There&#39;s probably quite a few corner cases
                        to cover - you&#39;ve already mentioned a few</div>
                      <div><br>
                      </div>
                      <div>It&#39;s a very nice to have feature, but I doubt
                        have time to work on it for 1.8.</div>
                      <div><br>
                      </div>
                      <div>Is it something we can post-pone to 2.x or do
                        you really need it now?</div>
                    </div>
                  </blockquote>
                  <br>
                </span> We do not need it just now, but should be cool
                to have it in some reasonable time (half of year?). <br>
                Not sure when you plan to start work on 2.x, probably
                sometime around half of next year?<br>
                <br>
                As it is really complex then we probably should break it
                into smaller chunks and implement it per partes over the
                releases. I can imagine first version with basic flow
                support with Form password auth only, then add other
                parts like support for Identity Brokers, OTP, Kerberos,
                required actions etc. <br>
                <br>
                Vl.
                <div>
                  <div><br>
                    <br>
                    <blockquote type="cite">
                      <div class="gmail_extra"><br>
                        <div class="gmail_quote">On 27 November 2015 at
                          11:05, Vlastimil Elias <span dir="ltr">&lt;<a href="mailto:velias@redhat.com" target="_blank"></a><a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>&gt;</span>
                          wrote:<br>
                          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                            <div text="#000000" bgcolor="#FFFFFF"> Hi,<br>
                              <br>
                              moving this discussion to the devel forum
                              as it is about the feture development now.
                              <br>
                              <br>
                              Toplevel issue I created for this feature
                              is <a href="https://issues.jboss.org/browse/KEYCLOAK-2076" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-2076</a><br>
                              <br>
                              I added some notes and thoughts from my
                              investigation as a comment to the
                              KEYCLOAK-2076, there are some open
                              questions how to implement it.<br>
                              <br>
                              Originally I though I should be able to
                              implement reauth support and provide PR. <br>
                              But I must say I&#39;m not sure now if I&#39;m
                              able to implement it, looks like it is a
                              bit more complicated than I originally
                              expected, so probably some Keycloak core
                              developer should do it. <br>
                              But if you think you will not have
                              resources to do it in 1.8 then I can try
                              it (with your support), as I believe it is
                              a very important feature, and we really
                              want use it.<br>
                              <br>
                              Cheers<span><font color="#888888"><br>
                                  <br>
                                  Vlastimil</font></span>
                              <div>
                                <div><br>
                                  <br>
                                  <br>
                                  <br>
                                  <div>On 12.11.2015 14:50, Stian
                                    Thorgersen wrote:<br>
                                  </div>
                                  <blockquote type="cite">
                                    <div dir="ltr"><br>
                                      <div class="gmail_extra"><br>
                                        <div class="gmail_quote">On 12
                                          November 2015 at 14:49,
                                          Vlastimil Elias <span dir="ltr">&lt;<a href="mailto:velias@redhat.com" target="_blank"></a><a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>&gt;</span>
                                          wrote:<br>
                                          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                            <div text="#000000" bgcolor="#FFFFFF"> Thanks
                                              for quick reply Stian. <br>
                                              <br>
                                              I&#39;m going to create JIRAs
                                              for all these things. I
                                              can volunter to implement
                                              some parts of this.<br>
                                              <br>
                                              For the last one, it
                                              should be probably cool to
                                              have &quot;reauthenticate
                                              timeout&quot; setting available
                                              in client section for
                                              every client (not only
                                              internal admin console and
                                              account management). It
                                              should allow simple
                                              implementation of &quot;long
                                              user sso session&quot; scheme
                                              even in environments where
                                              some clients can&#39;t be
                                              updated to set max_age on
                                              protocol level.<br>
                                            </div>
                                          </blockquote>
                                          <div><br>
                                          </div>
                                          <div>Yep, that makes sense</div>
                                          <div> </div>
                                          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                            <div text="#000000" bgcolor="#FFFFFF"> <br>
                                              Vl.
                                              <div>
                                                <div><br>
                                                  <br>
                                                  <div>On 12.11.2015
                                                    14:39, Stian
                                                    Thorgersen wrote:<br>
                                                  </div>
                                                  <blockquote type="cite">
                                                    <div dir="ltr"><br>
                                                      <div class="gmail_extra"><br>
                                                        <div class="gmail_quote">On
                                                          12 November
                                                          2015 at 14:15,
                                                          Vlastimil
                                                          Elias <span dir="ltr">&lt;<a href="mailto:velias@redhat.com" target="_blank"></a><a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>&gt;</span>
                                                          wrote:<br>
                                                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hi,<br>
                                                          <br>
                                                          I&#39;d like to
                                                          use long
                                                          session
                                                          authentication
                                                          mechanism
                                                          known from
                                                          many<br>
                                                          sites like
                                                          google.
                                                          facebook,
                                                          linked in etc.<br>
                                                          It is about
                                                          really long
                                                          user SSO
                                                          sessions (eg.
                                                          weeks or even
                                                          months)<br>
                                                          with
                                                          reauthentication
                                                          for important
                                                          actions when
                                                          last
                                                          authentication<br>
                                                          timestamp is
                                                          older than
                                                          some limit.<br>
                                                          <br>
                                                          Is this
                                                          somehow
                                                          possible with
                                                          current
                                                          Keycloak
                                                          server and
                                                          Keycloak
                                                          adapters?<br>
                                                          <br>
                                                          I see few
                                                          subquestions
                                                          in this
                                                          problem for
                                                          our use:<br>
                                                          <br>
                                                          *****<br>
                                                          open-id
                                                          connect
                                                          protocol
                                                          defines few
                                                          auth request
                                                          parameters to
                                                          support<br>
                                                          this use case,
                                                          mainly max_age
                                                          or
                                                          prompt=login.
                                                          Are they
                                                          correctly<br>
                                                          implemented in
                                                          Keycloak
                                                          server?<br>
                                                          </blockquote>
                                                          <div><br>
                                                          </div>
                                                          <div>We don&#39;t
                                                          have support
                                                          for max_age
                                                          and we only
                                                          support prompt=none
                                                          so these would
                                                          have to be
                                                          added</div>
                                                          <div> </div>
                                                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
                                                          <br>
                                                          *****<br>
                                                          Wildfly/EAP
                                                          adapter - is
                                                          it possible
                                                          and is there
                                                          some example
                                                          how to<br>
                                                          use &quot;reauth if
                                                          auth is older
                                                          than 30min&quot;
                                                          action in Java
                                                          app secured by<br>
                                                          this adapter?
                                                          Or is info
                                                          about last
                                                          auth timestamp
                                                          somehow
                                                          available in<br>
                                                          the app?<br>
                                                          </blockquote>
                                                          <div><br>
                                                          </div>
                                                          <div>We don&#39;t
                                                          set auth_time
                                                          claim ATM so
                                                          answer is no</div>
                                                          <div> </div>
                                                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
                                                          <br>
                                                          *****<br>
                                                          Keycloak user
                                                          account
                                                          application
                                                          itself - it is
                                                          part of the
                                                          Keycloak<br>
                                                          server, but it
                                                          contains
                                                          sensitive
                                                          actions which
                                                          typically
                                                          require<br>
                                                          reathentication
                                                          in this long
                                                          session scheme
                                                          (password
                                                          change, email<br>
                                                          change, ...).
                                                          Is it somehow
                                                          possible to
                                                          configure
                                                          Keycloak to
                                                          force<br>
                                                          timeout reauth
                                                          for this app?<br>
                                                          </blockquote>
                                                          <div><br>
                                                          </div>
                                                          <div>Not at
                                                          the moment -
                                                          but if we add
                                                          what you want
                                                          it would also
                                                          make sense to
                                                          add that.
                                                          Would need to
                                                          be
                                                          configurable
                                                          through the
                                                          admin console.
                                                          Would also be
                                                          nice to have
                                                          the same for
                                                          the admin
                                                          console
                                                          itself.</div>
                                                          <div> </div>
                                                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
                                                          Thanks in
                                                          advance<br>
                                                          <br>
                                                          Vl.<br>
                                                          <span><font color="#888888"><br>
                                                          --<br>
                                                          Vlastimil
                                                          Elias<br>
                                                          Principal
                                                          Software
                                                          Engineer<br>
                                                          Developer
                                                          Portal
                                                          Engineering
                                                          Team<br>
                                                          <br>
                                                          <br>
                                                          <br>
_______________________________________________<br>
                                                          keycloak-user
                                                          mailing list<br>
                                                          <a href="mailto:keycloak-user@lists.jboss.org" target="_blank"></a><a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
                                                          <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank"></a><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
                                                          </font></span></blockquote>
                                                        </div>
                                                        <br>
                                                      </div>
                                                    </div>
                                                  </blockquote>
                                                  <br>
                                                  <pre cols="72">-- 
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
                                                </div>
                                              </div>
                                            </div>
                                          </blockquote>
                                        </div>
                                        <br>
                                      </div>
                                    </div>
                                  </blockquote>
                                  <br>
                                  <pre cols="72">-- 
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
                                </div>
                              </div>
                            </div>
                          </blockquote>
                        </div>
                        <br>
                      </div>
                    </blockquote>
                    <br>
                    <pre cols="72">-- 
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
                  </div>
                </div>
              </div>
            </blockquote>
          </div>
          <br>
        </div>
      </div>
    </blockquote>
    <br>
    <pre cols="72">-- 
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
  </div></div></div>

</blockquote></div><br></div>