On Tue, Mar 28, 2017 at 3:25 PM, Bill Burke <bburke(a)redhat.com> wrote:
IMO, action tokens should be implemented correctly, as a feature, not
as an
optimization to support cross-DC. This means support for one time use
policies, etc.
Okay, it seems that support for single use should be implemented as a
service and then used by action tokens.
So this can be implemented as a cache that would be shared across the
cluster / DCs with as little information as possible. Preliminary
implementation exists in [1], I'll plug that into current code.
[1]
https://github.com/keycloak/keycloak/pull/3918
On 3/28/17 5:56 AM, Hynek Mlnarik wrote:
>
>
>>> * Aren't action tokens supposed to be independent of User sessions
>>> anyways?
>>> * How can somebody continue with the login flow with an action token?
>>> Aren't you still going to have to obtain the user session?
>
>
> Not have to, and yes, I can make use of it to continue in the session in
> progress.
I'm saying do you have to/should you verify that the action token originated
from a specific session in order to continue the session? I don't know,
just asking. These are all things you have to take into account and figure
out how to easily hide or provide through the Authentication/Required Action
SPI too.
I don't think I have to (for instance expiration of the action token
to reset password can be e.g. 2 days - much longer than that of a
session). But I think that we should support case when the user is in
the middle of the flow and is asked to verify their e-mail - here we
should continue with the next step in the flow.
--Hynek