<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 12 November 2015 at 14:49, Vlastimil Elias <span dir="ltr">&lt;<a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF">
    Thanks for quick reply Stian. <br>
    <br>
    I&#39;m going to create JIRAs for all these things. I can volunter to
    implement some parts of this.<br>
    <br>
    For the last one, it should be probably cool to have &quot;reauthenticate
    timeout&quot; setting available in client section for every client (not
    only internal admin console and account management). It should allow
    simple implementation of &quot;long user sso session&quot; scheme even in
    environments where some clients can&#39;t be updated to set max_age on
    protocol level.<br></div></blockquote><div><br></div><div>Yep, that makes sense</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF">
    <br>
    Vl.<div><div class="h5"><br>
    <br>
    <div>On 12.11.2015 14:39, Stian Thorgersen
      wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr"><br>
        <div class="gmail_extra"><br>
          <div class="gmail_quote">On 12 November 2015 at 14:15,
            Vlastimil Elias <span dir="ltr">&lt;<a href="mailto:velias@redhat.com" target="_blank"></a><a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>&gt;</span> wrote:<br>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hi,<br>
              <br>
              I&#39;d like to use long session authentication mechanism
              known from many<br>
              sites like google. facebook, linked in etc.<br>
              It is about really long user SSO sessions (eg. weeks or
              even months)<br>
              with reauthentication for important actions when last
              authentication<br>
              timestamp is older than some limit.<br>
              <br>
              Is this somehow possible with current Keycloak server and
              Keycloak adapters?<br>
              <br>
              I see few subquestions in this problem for our use:<br>
              <br>
              *****<br>
              open-id connect protocol defines few auth request
              parameters to support<br>
              this use case, mainly max_age or prompt=login. Are they
              correctly<br>
              implemented in Keycloak server?<br>
            </blockquote>
            <div><br>
            </div>
            <div>We don&#39;t have support for max_age and we only
              support prompt=none so these would have to be added</div>
            <div> </div>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
              <br>
              *****<br>
              Wildfly/EAP adapter - is it possible and is there some
              example how to<br>
              use &quot;reauth if auth is older than 30min&quot; action in Java
              app secured by<br>
              this adapter? Or is info about last auth timestamp somehow
              available in<br>
              the app?<br>
            </blockquote>
            <div><br>
            </div>
            <div>We don&#39;t set auth_time claim ATM so answer is no</div>
            <div> </div>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
              <br>
              *****<br>
              Keycloak user account application itself - it is part of
              the Keycloak<br>
              server, but it contains sensitive actions which typically
              require<br>
              reathentication in this long session scheme (password
              change, email<br>
              change, ...). Is it somehow possible to configure Keycloak
              to force<br>
              timeout reauth for this app?<br>
            </blockquote>
            <div><br>
            </div>
            <div>Not at the moment - but if we add what you want it
              would also make sense to add that. Would need to be
              configurable through the admin console. Would also be nice
              to have the same for the admin console itself.</div>
            <div> </div>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
              Thanks in advance<br>
              <br>
              Vl.<br>
              <span><font color="#888888"><br>
                  --<br>
                  Vlastimil Elias<br>
                  Principal Software Engineer<br>
                  Developer Portal Engineering Team<br>
                  <br>
                  <br>
                  <br>
                  _______________________________________________<br>
                  keycloak-user mailing list<br>
                  <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
                  <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
                </font></span></blockquote>
          </div>
          <br>
        </div>
      </div>
    </blockquote>
    <br>
    <pre cols="72">-- 
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
  </div></div></div>

</blockquote></div><br></div></div>