12:41 p.m.
I think using client templates makes sense as a way to introduce proper
support for scopes, but not sure about retire/replace. Isn't client
templates a useful concept to create some defaults for a client?
On 24 January 2018 at 14:33, Bill Burke <bburke(a)redhat.com> wrote:
I'll add a jira...but there's some things to think about for
it. One
of the things on my plate is Client Scope support ala oauth scopes.
Was hoping to retire/replace client templates with client scopes and
not sure if flow overrides fit there if a client is composed of
multiple scopes.
On Wed, Jan 24, 2018 at 6:07 AM, Marek Posolda <mposolda(a)redhat.com>
wrote:
> Bill, I've added few minor comments to your PR.
>
> Does it makes sense to support authentication flows per clientTemplate
too?
> Or is it just unnecessary complication? I wonder if it's similar to newly
> added themeSelector and thinking if we can have fallback chain like:
client
> -> clientTemplate -> realm .
>
> Marek
>
>
>
> On 22/01/18 19:21, Stian Thorgersen wrote:
>>
>> On 22 January 2018 at 16:17, Bill Burke <bburke(a)redhat.com> wrote:
>>
>>> On Mon, Jan 22, 2018 at 2:48 AM, Stian Thorgersen <sthorger(a)redhat.com
>
>>> wrote:
>>>>
>>>> I missed the part about code grant flow being used regardless. Of
course
>>>
>>> the
>>>>
>>>> spec doesn't even mandate the user-agent is a web browser, just
says
it
>>>> typically is.
>>>>
>>>> I think acr/display (or some other query parameter) vs a different
flow
>>>> boils down to usability. Basically is it simpler to have one
"dynamic"
>>>
>>> flow
>>>>
>>>> or is it simpler to just have separate flows. I think in most cases
>>>
>>> you're
>>>>
>>>> right and it will probably be cleaner and simpler to simply have
>>>
>>> different
>>>>
>>>> flows.
>>>>
>>>> Did you think about including this new flow OOTB? Is it OSIN specific
or
>>>
>>> is
>>>>
>>>> it a generic non-web version of the regular web based flow?
>>>>
>>> I want to reorganize auth flows a bit so that we can catagorize them
>>> and provide a plugin mechanism so the admin console can dynamically
>>> show which flows can be configured (browser, direct grant, ecp,
>>> etc..). There's a lot to be done here, but probably just putting in
>>> enough at the moment to get the OSIN replacement going.
>>>
>>>> Another thing is the user-agent always controlled by the client? Or
>>>
>>> could a
>>>>
>>>> single client have different user-agents.
>>>>
>>> They don't really have that concept. There's a client config
variable
>>> "respondWithChallenges". When set, server responds with 401
>>> challenges.
>>>
>> I was also wondering if other (non OSIN) clients would want to use more
>> than one flow, but probably not.
>>
>>
>>>
>>>
>>>
>>> --
>>> Bill Burke
>>> Red Hat
>>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
--
Bill Burke
Red Hat