<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
I looked into source code and it looks like ForceAuthn is not
supported .<br>
Even isPassive (equivalent of prompt=none) looks like unsupported in
Keycloak SAML protocol endpoint.<br>
<br>
Will do JIRAs for all these things, and maybe implement something
;-)<br>
<br>
Vl.<br>
<br>
<div class="moz-cite-prefix">On 12.11.2015 16:09, Stian Thorgersen
wrote:<br>
</div>
<blockquote
cite="mid:CAJgngAdrSnQmbbVRYb1kcZag_Q94WQdZmpOq1cb1wUfj6Z+=fA@mail.gmail.com"
type="cite">
<div dir="ltr">Dunno ;)</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 12 November 2015 at 15:00, Vlastimil
Elias <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> BTW even SAML2
protocol has ForceAuthn="true" attribute in the
AuthnRequest. Is it supported in Keycloak?<span class=""><br>
<br>
Vl.<br>
<br>
<div>On 12.11.2015 14:39, Stian Thorgersen wrote:<br>
</div>
</span>
<div>
<div class="h5">
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 12 November 2015 at
14:15, Vlastimil Elias <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:velias@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:velias@redhat.com">velias@redhat.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hi,<br>
<br>
I'd like to use long session authentication
mechanism known from many<br>
sites like google. facebook, linked in etc.<br>
It is about really long user SSO sessions
(eg. weeks or even months)<br>
with reauthentication for important actions
when last authentication<br>
timestamp is older than some limit.<br>
<br>
Is this somehow possible with current
Keycloak server and Keycloak adapters?<br>
<br>
I see few subquestions in this problem for
our use:<br>
<br>
*****<br>
open-id connect protocol defines few auth
request parameters to support<br>
this use case, mainly max_age or
prompt=login. Are they correctly<br>
implemented in Keycloak server?<br>
</blockquote>
<div><br>
</div>
<div>We don't have support for max_age and we
only support prompt=none so these would have
to be added</div>
<div> </div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
<br>
*****<br>
Wildfly/EAP adapter - is it possible and is
there some example how to<br>
use "reauth if auth is older than 30min"
action in Java app secured by<br>
this adapter? Or is info about last auth
timestamp somehow available in<br>
the app?<br>
</blockquote>
<div><br>
</div>
<div>We don't set auth_time claim ATM so
answer is no</div>
<div> </div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
<br>
*****<br>
Keycloak user account application itself -
it is part of the Keycloak<br>
server, but it contains sensitive actions
which typically require<br>
reathentication in this long session scheme
(password change, email<br>
change, ...). Is it somehow possible to
configure Keycloak to force<br>
timeout reauth for this app?<br>
</blockquote>
<div><br>
</div>
<div>Not at the moment - but if we add what
you want it would also make sense to add
that. Would need to be configurable through
the admin console. Would also be nice to
have the same for the admin console itself.</div>
<div> </div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
Thanks in advance<br>
<br>
Vl.<br>
<span><font color="#888888"><br>
--<br>
Vlastimil Elias<br>
Principal Software Engineer<br>
Developer Portal Engineering Team<br>
<br>
<br>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</font></span></blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<pre cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</body>
</html>