I'll add a jira...but there's some things to think about for it. One
of the things on my plate is Client Scope support ala oauth scopes.
Was hoping to retire/replace client templates with client scopes and
not sure if flow overrides fit there if a client is composed of
multiple scopes.
On Wed, Jan 24, 2018 at 6:07 AM, Marek Posolda <mposolda(a)redhat.com> wrote:
Bill, I've added few minor comments to your PR.
Does it makes sense to support authentication flows per clientTemplate too?
Or is it just unnecessary complication? I wonder if it's similar to newly
added themeSelector and thinking if we can have fallback chain like: client
-> clientTemplate -> realm .
Marek
On 22/01/18 19:21, Stian Thorgersen wrote:
>
> On 22 January 2018 at 16:17, Bill Burke <bburke(a)redhat.com> wrote:
>
>> On Mon, Jan 22, 2018 at 2:48 AM, Stian Thorgersen <sthorger(a)redhat.com>
>> wrote:
>>>
>>> I missed the part about code grant flow being used regardless. Of course
>>
>> the
>>>
>>> spec doesn't even mandate the user-agent is a web browser, just says it
>>> typically is.
>>>
>>> I think acr/display (or some other query parameter) vs a different flow
>>> boils down to usability. Basically is it simpler to have one
"dynamic"
>>
>> flow
>>>
>>> or is it simpler to just have separate flows. I think in most cases
>>
>> you're
>>>
>>> right and it will probably be cleaner and simpler to simply have
>>
>> different
>>>
>>> flows.
>>>
>>> Did you think about including this new flow OOTB? Is it OSIN specific or
>>
>> is
>>>
>>> it a generic non-web version of the regular web based flow?
>>>
>> I want to reorganize auth flows a bit so that we can catagorize them
>> and provide a plugin mechanism so the admin console can dynamically
>> show which flows can be configured (browser, direct grant, ecp,
>> etc..). There's a lot to be done here, but probably just putting in
>> enough at the moment to get the OSIN replacement going.
>>
>>> Another thing is the user-agent always controlled by the client? Or
>>
>> could a
>>>
>>> single client have different user-agents.
>>>
>> They don't really have that concept. There's a client config variable
>> "respondWithChallenges". When set, server responds with 401
>> challenges.
>>
> I was also wondering if other (non OSIN) clients would want to use more
> than one flow, but probably not.
>
>
>>
>>
>>
>> --
>> Bill Burke
>> Red Hat
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev