[keycloak-user] How to implement long user sso sessions with reauthentication for important actions?

Vlastimil Elias velias at redhat.com
Fri Nov 13 02:04:47 EST 2015


I looked into source code and it looks like ForceAuthn is not supported .
Even isPassive (equivalent of prompt=none) looks like unsupported in
Keycloak SAML protocol endpoint.

Will do JIRAs for all these things, and maybe implement something ;-)

Vl.

On 12.11.2015 16:09, Stian Thorgersen wrote:
> Dunno ;)
>
> On 12 November 2015 at 15:00, Vlastimil Elias <velias at redhat.com
> <mailto:velias at redhat.com>> wrote:
>
>     BTW even SAML2 protocol has ForceAuthn="true" attribute in the
>     AuthnRequest. Is it supported in Keycloak?
>
>     Vl.
>
>     On 12.11.2015 14:39, Stian Thorgersen wrote:
>>
>>
>>     On 12 November 2015 at 14:15, Vlastimil Elias <velias at redhat.com
>>     <mailto:velias at redhat.com>> wrote:
>>
>>         Hi,
>>
>>         I'd like to use long session authentication mechanism known
>>         from many
>>         sites like google. facebook, linked in etc.
>>         It is about really long user SSO sessions (eg. weeks or even
>>         months)
>>         with reauthentication for important actions when last
>>         authentication
>>         timestamp is older than some limit.
>>
>>         Is this somehow possible with current Keycloak server and
>>         Keycloak adapters?
>>
>>         I see few subquestions in this problem for our use:
>>
>>         *****
>>         open-id connect protocol defines few auth request parameters
>>         to support
>>         this use case, mainly max_age or prompt=login. Are they correctly
>>         implemented in Keycloak server?
>>
>>
>>     We don't have support for max_age and we only support prompt=none
>>     so these would have to be added
>>      
>>
>>
>>
>>         *****
>>         Wildfly/EAP adapter - is it possible and is there some
>>         example how to
>>         use "reauth if auth is older than 30min" action in Java app
>>         secured by
>>         this adapter? Or is info about last auth timestamp somehow
>>         available in
>>         the app?
>>
>>
>>     We don't set auth_time claim ATM so answer is no
>>      
>>
>>
>>
>>         *****
>>         Keycloak user account application itself - it is part of the
>>         Keycloak
>>         server, but it contains sensitive actions which typically require
>>         reathentication in this long session scheme (password change,
>>         email
>>         change, ...). Is it somehow possible to configure Keycloak to
>>         force
>>         timeout reauth for this app?
>>
>>
>>     Not at the moment - but if we add what you want it would also
>>     make sense to add that. Would need to be configurable through the
>>     admin console. Would also be nice to have the same for the admin
>>     console itself.
>>      
>>
>>
>>         Thanks in advance
>>
>>         Vl.
>>
>>         --
>>         Vlastimil Elias
>>         Principal Software Engineer
>>         Developer Portal Engineering Team
>>
>>
>>
>>         _______________________________________________
>>         keycloak-user mailing list
>>         keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
>     -- 
>     Vlastimil Elias
>     Principal Software Engineer
>     Developer Portal Engineering Team
>
>

-- 
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151113/856966bf/attachment-0001.html 


More information about the keycloak-user mailing list