Re: [keycloak-dev] per-client authentication flows

On 22 January 2018 at 16:17, Bill Burke <bburke(a)redhat.com&gt; wrote: > On Mon, Jan 22, 2018 at 2:48 AM, Stian Thorgersen <sthorger(a)redhat.com&gt; > wrote: >> I missed the part about code grant flow being used regardless. Of course > the >> spec doesn't even mandate the user-agent is a web browser, just says it >> typically is. >> >> I think acr/display (or some other query parameter) vs a different flow >> boils down to usability. Basically is it simpler to have one "dynamic" > flow >> or is it simpler to just have separate flows. I think in most cases > you're >> right and it will probably be cleaner and simpler to simply have > different >> flows. >> >> Did you think about including this new flow OOTB? Is it OSIN specific or > is >> it a generic non-web version of the regular web based flow? >> > I want to reorganize auth flows a bit so that we can catagorize them > and provide a plugin mechanism so the admin console can dynamically > show which flows can be configured (browser, direct grant, ecp, > etc..). There's a lot to be done here, but probably just putting in > enough at the moment to get the OSIN replacement going. > >> Another thing is the user-agent always controlled by the client? Or > could a >> single client have different user-agents. >> > They don't really have that concept. There's a client config variable > "respondWithChallenges". When set, server responds with 401 > challenges. > I was also wondering if other (non OSIN) clients would want to use more than one flow, but probably not. > > > > -- > Bill Burke > Red Hat > _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev