<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 11/27/2015 07:57 AM, Stian
Thorgersen wrote:<br>
</div>
<blockquote
cite="mid:CAJgngAerxUGAZNRDRHwCreD8QQqTJENHAWCLf3En34fuga5dRg@mail.gmail.com"
type="cite">
<div dir="ltr">Current flow checks if cookie is there and if it is
it's all happy. We'd need a different flow that can require the
re-auth to take place even if cookie is there. Also, with
re-auth flow user should be able to cancel or just navigate away
and continue using the session as if nothing has happend (with
the other apps that's happy with the old session that is)</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 27 November 2015 at 13:51, Vlastimil
Elias <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span class=""> <br>
<br>
<div>On 27.11.2015 13:46, Stian Thorgersen wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 27 November 2015 at
13:36, Vlastimil Elias <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:velias@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:velias@redhat.com">velias@redhat.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span> <br>
<br>
<div>On 27.11.2015 12:22, Stian Thorgersen
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Initially when you
proposed this feature I underestimated
how complicated it would be as well.
Reading the discussion on the issue
you created I've got a few comments:
<div><br>
</div>
<div>* We need a new flow - users
could want to require re-auth with
password, or with totp, or with
both, etc..</div>
</div>
</blockquote>
</span> Agree, but at least first step must
be same with Browser flow - check of cookie,
and then redirect to another flow if
necessary. Not sure if current flow engine
supports this.</div>
</blockquote>
<div><br>
</div>
<div>Current browser flow would just
automatically log-in as the cookie is there</div>
</div>
</div>
</div>
</blockquote>
<br>
</span> yep, but new Reauthentication flow must also check
if user is logged in currently (over cookie). If not
logged in then it should go to current Browser flow to
login him. If logged in then it must continue in
Reathentication flow. So check "is user currently logged
in?" should be same for both flows.<br>
<br>
Vl</div>
</blockquote>
</div>
</div>
</blockquote>
<br>
<br>
If not logged in, it is not reauthentication, it is delegation.<br>
<br>
If I ask for a long running task, and I am not around when something
needs to be done on my behalf, I need to make sure I've delegated to
the remote principal the ability to perform this task, and that
remote principal needs to be able to confirm it.<br>
<br>
<br>
<br>
<blockquote
cite="mid:CAJgngAerxUGAZNRDRHwCreD8QQqTJENHAWCLf3En34fuga5dRg@mail.gmail.com"
type="cite">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>
<div class="h5"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>* There's probably quite a few
corner cases to cover - you've
already mentioned a few</div>
<div><br>
</div>
<div>It's a very nice to have
feature, but I doubt have time to
work on it for 1.8.</div>
<div><br>
</div>
<div>Is it something we can
post-pone to 2.x or do you really
need it now?</div>
</div>
</blockquote>
<br>
</span> We do not need it just now, but
should be cool to have it in some
reasonable time (half of year?). <br>
Not sure when you plan to start work on
2.x, probably sometime around half of next
year?<br>
<br>
As it is really complex then we probably
should break it into smaller chunks and
implement it per partes over the releases.
I can imagine first version with basic
flow support with Form password auth only,
then add other parts like support for
Identity Brokers, OTP, Kerberos, required
actions etc. <br>
<br>
Vl.
<div>
<div><br>
<br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 27
November 2015 at 11:05,
Vlastimil Elias <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:velias@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:velias@redhat.com">velias@redhat.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div text="#000000"
bgcolor="#FFFFFF"> Hi,<br>
<br>
moving this discussion to
the devel forum as it is
about the feture development
now. <br>
<br>
Toplevel issue I created for
this feature is <a
moz-do-not-send="true"
href="https://issues.jboss.org/browse/KEYCLOAK-2076"
target="_blank"><a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/KEYCLOAK-2076">https://issues.jboss.org/browse/KEYCLOAK-2076</a></a><br>
<br>
I added some notes and
thoughts from my
investigation as a comment
to the KEYCLOAK-2076, there
are some open questions how
to implement it.<br>
<br>
Originally I though I should
be able to implement reauth
support and provide PR. <br>
But I must say I'm not sure
now if I'm able to implement
it, looks like it is a bit
more complicated than I
originally expected, so
probably some Keycloak core
developer should do it. <br>
But if you think you will
not have resources to do it
in 1.8 then I can try it
(with your support), as I
believe it is a very
important feature, and we
really want use it.<br>
<br>
Cheers<span><font
color="#888888"><br>
<br>
Vlastimil</font></span>
<div>
<div><br>
<br>
<br>
<br>
<div>On 12.11.2015
14:50, Stian
Thorgersen wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div
class="gmail_extra"><br>
<div
class="gmail_quote">On
12 November 2015
at 14:49,
Vlastimil Elias
<span dir="ltr"><<a
moz-do-not-send="true" href="mailto:velias@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:velias@redhat.com">velias@redhat.com</a></a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0
0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div
text="#000000"
bgcolor="#FFFFFF"> Thanks for quick reply Stian. <br>
<br>
I'm going to
create JIRAs
for all these
things. I can
volunter to
implement some
parts of this.<br>
<br>
For the last
one, it should
be probably
cool to have
"reauthenticate
timeout"
setting
available in
client section
for every
client (not
only internal
admin console
and account
management).
It should
allow simple
implementation
of "long user
sso session"
scheme even in
environments
where some
clients can't
be updated to
set max_age on
protocol
level.<br>
</div>
</blockquote>
<div><br>
</div>
<div>Yep, that
makes sense</div>
<div> </div>
<blockquote
class="gmail_quote"
style="margin:0
0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div
text="#000000"
bgcolor="#FFFFFF"> <br>
Vl.
<div>
<div><br>
<br>
<div>On
12.11.2015
14:39, Stian
Thorgersen
wrote:<br>
</div>
<blockquote
type="cite">
<div dir="ltr"><br>
<div
class="gmail_extra"><br>
<div
class="gmail_quote">On
12 November
2015 at 14:15,
Vlastimil
Elias <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:velias@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:velias@redhat.com">velias@redhat.com</a></a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0px
0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hi,<br>
<br>
I'd like to
use long
session
authentication
mechanism
known from
many<br>
sites like
google.
facebook,
linked in etc.<br>
It is about
really long
user SSO
sessions (eg.
weeks or even
months)<br>
with
reauthentication
for important
actions when
last
authentication<br>
timestamp is
older than
some limit.<br>
<br>
Is this
somehow
possible with
current
Keycloak
server and
Keycloak
adapters?<br>
<br>
I see few
subquestions
in this
problem for
our use:<br>
<br>
*****<br>
open-id
connect
protocol
defines few
auth request
parameters to
support<br>
this use case,
mainly max_age
or
prompt=login.
Are they
correctly<br>
implemented in
Keycloak
server?<br>
</blockquote>
<div><br>
</div>
<div>We don't
have support
for max_age
and we only
support prompt=none
so these would
have to be
added</div>
<div> </div>
<blockquote
class="gmail_quote"
style="margin:0px
0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
<br>
*****<br>
Wildfly/EAP
adapter - is
it possible
and is there
some example
how to<br>
use "reauth if
auth is older
than 30min"
action in Java
app secured by<br>
this adapter?
Or is info
about last
auth timestamp
somehow
available in<br>
the app?<br>
</blockquote>
<div><br>
</div>
<div>We don't
set auth_time
claim ATM so
answer is no</div>
<div> </div>
<blockquote
class="gmail_quote"
style="margin:0px
0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
<br>
*****<br>
Keycloak user
account
application
itself - it is
part of the
Keycloak<br>
server, but it
contains
sensitive
actions which
typically
require<br>
reathentication
in this long
session scheme
(password
change, email<br>
change, ...).
Is it somehow
possible to
configure
Keycloak to
force<br>
timeout reauth
for this app?<br>
</blockquote>
<div><br>
</div>
<div>Not at
the moment -
but if we add
what you want
it would also
make sense to
add that.
Would need to
be
configurable
through the
admin console.
Would also be
nice to have
the same for
the admin
console
itself.</div>
<div> </div>
<blockquote
class="gmail_quote"
style="margin:0px
0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
Thanks in
advance<br>
<br>
Vl.<br>
<span><font
color="#888888"><br>
--<br>
Vlastimil
Elias<br>
Principal
Software
Engineer<br>
Developer
Portal
Engineering
Team<br>
<br>
<br>
<br>
_______________________________________________<br>
keycloak-user
mailing list<br>
<a
moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></a><br>
<a
moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
target="_blank"><a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></a><br>
</font></span></blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<pre cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<pre cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<pre cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</body>
</html>