Re: [keycloak-dev] Silent Re-authentication using ID Token

Hi, I would like to confirm that we don't support the `id_token_hint` authorization request parameter. When in conjunction with `prompt=none` it is useful to re-authenticate as well as check whether or not the session associated with the token is active through a non-authenticated request (e.g.: no cookies set by the OP). The use case I'm trying to solve is based on the assumption that you only have/keep the ID Token, you don't want a front/back channel for logout (e.g.: app is stateless), you need to check whether or not session is active, and the check is done through a backchannel communication between the application and the OP. Spec-wise, using either user-info or introspection endpoint is not possible if you only have the ID Token (although some implementations like Google provide an addition `id_token_hint` to the introspection endpoint) given that you should use the access token as a bearer. Wdyt ? Regards. Pedro Igor _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev