[keycloak-user] Authorization of action in application (client of KC)
Dmitry Telegin
dt at acutus.pro
Fri Dec 21 08:19:24 EST 2018
Hello Nikola,
On Thu, 2018-12-20 at 16:57 +0100, Nikola Malenic wrote:
> I have an use case where I have to authorize an action in my application
> taken by the user. Here is how it should go:
>
> The user is logged in at KC and using my application. Now, my application
> would need to authorize one user action by sending the user to KC, where he
> would enter his OTP, and then, my application would get some kind of proof
> that user authorized the action (I don't know what should that be, yet).
Seems like what you want is "step-up authentication". It's been on the list since 2014, but AFAIK still no progress to the moment:
https://issues.jboss.org/browse/KEYCLOAK-847
https://issues.jboss.org/browse/KEYCLOAK-4182
http://lists.jboss.org/pipermail/keycloak-dev/2017-April/009245.html
I'm also adding Thomas Darimont to CC: as probably no one knows this topic better than he does.
> Do you have any idea how this could be achieved using KC? I guess action SPI
> would somehow be used.
If you're talking about Action Token SPI [1], I'm afraid this is not much relevant here. Action tokens are issued by Keycloak and allow users to perform special actions like password reset. OTOH, your case is about conditionally executing a part of authentication flow on the client's request.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro
>
>
>
> Thank you in advance,
>
> Nikola
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list