[keycloak-user] Authorization of action in application (client of KC)
Nikola Malenic
nikola.malenic at netsetglobal.rs
Tue Jan 8 04:07:36 EST 2019
Thank you very much, Dmitry.
It seems that there is no any progress on this still so I'll probably have to implement something myself.
Maybe I should start by defining custom endpoint where users would be redirected to enter the OTP, not leveraging authentication SPI at all, what do you think?
Best regards,
Nikola
-----Original Message-----
From: Dmitry Telegin [mailto:dt at acutus.pro]
Sent: Friday, December 21, 2018 2:30 PM
To: Nikola Malenic <nikola.malenic at netsetglobal.rs>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Authorization of action in application (client of KC)
Sorry, forgot the link:
https://www.keycloak.org/docs/latest/server_development/index.html#_action_token_spi
Dmitry
On Fri, 2018-12-21 at 16:19 +0300, Dmitry Telegin wrote:
> Hello Nikola,
>
> On Thu, 2018-12-20 at 16:57 +0100, Nikola Malenic wrote:
> > I have an use case where I have to authorize an action in my
> > application taken by the user. Here is how it should go:
> >
> > The user is logged in at KC and using my application. Now, my
> > application would need to authorize one user action by sending the
> > user to KC, where he would enter his OTP, and then, my application
> > would get some kind of proof that user authorized the action (I
> > don't know what should that be, yet).
>
> Seems like what you want is "step-up authentication". It's been on the
> list since 2014, but AFAIK still no progress to the moment:
> https://issues.jboss.org/browse/KEYCLOAK-847
> https://issues.jboss.org/browse/KEYCLOAK-4182
> http://lists.jboss.org/pipermail/keycloak-dev/2017-April/009245.html
>
> I'm also adding Thomas Darimont to CC: as probably no one knows this
> topic better than he does.
>
> > Do you have any idea how this could be achieved using KC? I guess
> > action SPI would somehow be used.
>
> If you're talking about Action Token SPI [1], I'm afraid this is not
> much relevant here. Action tokens are issued by Keycloak and allow
> users to perform special actions like password reset. OTOH, your case
> is about conditionally executing a part of authentication flow on the
> client's request.
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> >
> >
> >
> > Thank you in advance,
> >
> > Nikola
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list