[keycloak-user] Forcing reauthentication from a client, even when session is active
John D. Ament
john.d.ament at gmail.com
Mon Mar 6 10:20:24 EST 2017
Bill,
In my use case, a realm ~~ a tenant, and typically a realm will only have
one identity source. So sorry yeah i just cross the two. But basically,
all the clients will be OIDC based, but there will be SAML based IDPs in
the mix.
John
On Mon, Mar 6, 2017 at 10:18 AM Bill Burke <bburke at redhat.com> wrote:
> Don't know what you're talking about John....
>
> A realm isn't SAML or OIDC based. The protocol is the choice of each
> individual client application. Keycloak allows a mix of SAML and OIDC
> client applications in the same SSO login session. In a brokering
> situation a child IDP acts as a client to the parent IDP and must use one
> of the protocols that the parent IDP supports.
>
>
>
> On 3/6/17 10:09 AM, John D. Ament wrote:
>
> At least for my use case, the max_age is moot. Its not by session, but
> by
>
> And just to be clear - if I'm sending an OIDC request from my client to
> keycloak, and the realm is based on SAML, and that realm is ForceAuthn
> enabled, then it would reprompt in the IDP (if that's how everything's
> configured)
>
> I'm assuming at that point, I would send a Bearer header and parse on the
> backend with a JAX-RS adapter?
>
> On Mon, Mar 6, 2017 at 10:04 AM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
> As we have prompt=login (I also spotted auth_time in the token) it would be
> really easy to add max_age that would actually be more useful than
> prompt=login IMO.
>
> On 6 March 2017 at 15:41, Bill Burke <bburke at redhat.com> wrote:
>
> > We support prompt=login.
> >
> >
> > On 3/6/17 9:33 AM, Stian Thorgersen wrote:
> > > OIDC has prompt=login and max_age params for it. Pretty sure we don't
> > > support either at the moment though.
> > >
> > > On 6 March 2017 at 15:14, John D. Ament <john.d.ament at gmail.com>
> wrote:
> > >
> > >> On Mon, Mar 6, 2017 at 9:12 AM John Dennis <jdennis at redhat.com>
> wrote:
> > >>
> > >>> On 03/06/2017 08:47 AM, John D. Ament wrote:
> > >>>> Hi,
> > >>>>
> > >>>> I have a use case where I need to reauthenticate a client, even if
> > >> their
> > >>>> session is active. I can use the Keycloak javascript adapter on the
> > >>> client
> > >>>> side, if needed, and was wondering if this is something built in? I
> > >> was
> > >>>> also expecting to leverage either the OIDC or SAML adapter on the
> > >> server
> > >>>> side. Can that work, regardless or server side adapter?
> > >>> In SAML you set ForceAuthn=True in the AuthnRequest.
> > >>>
> > >>>
> > >> This is not SAML specific.
> > >>
> > >>
> > >>> --
> > >>> John
> > >>> _______________________________________________
> > >>> keycloak-user mailing list
> > >>> keycloak-user at lists.jboss.org
> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>>
> > >> _______________________________________________
> > >> keycloak-user mailing list
> > >> keycloak-user at lists.jboss.org
> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
More information about the keycloak-user
mailing list