Definitively makes sense for the 'Direct Grant Flow'.
Did you also think about it for the 'Browser Flow'? That doesn't make sense
to me as I don't think the client should have any control on the SSO flow.
On 17 January 2018 at 20:37, Bill Burke <bburke(a)redhat.com> wrote:
TLDR; Per client authentication flows? Client can be configured to
override realm authentication flows.
Background:
I'm specing out how we will replace OSIN (openshift oauth server) with
Keycloak. One issue is that each oauth client in OSIN can specify the
authentication flow they want. Non-browser clients like the 'oc' cmd
line tool want a 401, challenge-based protocol...Web console,
obviously wants HTML. They All OSIN clients use the OAuth
auth-code-grant irregardless if they are non-brwoser or browser
clients. Keycloak assumes this oauth grant type is browser based and
expects non-browser clients to use Resource Credentials grant or
client credential grant. OSIN does not support this and we (keycloak)
have to be backward compatible.
Solution:
I think it would be pretty simple to add the ability to override
authentication flows per client. I don't think this would be a
one-off for OSIN as we could use it to implement other non-browser
input protocols. For example, I wanted to be able to have a
text-based auth flow for command line logins. I think this could be a
way to implement that.
--
Bill Burke
Red Hat
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev