12:46 a.m.
As far as I understand it, we just have to create a new authenticator, check for
the id_token_hint, if it is valid than we set the authenticated user, otherwise we send
attempted.
I can create a PR for that if it is that simple ;)
Am 09. Oktober 2015 um 07:41 schrieb Stian Thorgersen <sthorger(a)redhat.com>:
It wasn't on our road map, but it looks easy to add
On 9 October 2015 at 07:16, Michael Gerber <gerbermichi(a)me.com> wrote:
Hi,
Do you have any plans to include the id_token_hint in the near future?
id_token_hintOPTIONAL. ID Token previously issued by the Authorization Server being passed
as a hint about the End-User's current or past authenticated session with the Client.
If the End-User identified by the ID Token is logged in or is logged in by the request,
then the Authorization Server returns a positive response; otherwise, it SHOULD return an
error, such as login_required. When possible, an id_token_hint SHOULD be present
when prompt=none is used and an invalid_request error MAY be returned if it is not;
however, the server SHOULD respond successfully when possible, even if it is not present.
The Authorization Server need not be listed as an audience of the ID Token when it is used
as an id_token_hint value.If the ID Token received by the RP from the OP is encrypted, to
use it as an id_token_hint, the Client MUST decrypt the signed ID Token contained within
the encrypted ID Token. The Client MAY re-encrypt the signed ID token to the
Authentication Server using a key that enables the server to decrypt the ID Token, and use
the re-encrypted ID token as the id_token_hint value.
Best
Michael
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
10:34 a.m.
New subject: id_token_hint
I’ve created a jira task for that:
https://issues.jboss.org/browse/KEYCLOAK-1949
I already did an implementation proposal of that task, what do you think of it?
https://github.com/gerbermichi/keycloak/commit/0ef36f0ac446fcf70272f2aed0...
On 09.10.2015, at 07:46, Michael Gerber <gerbermichi(a)me.com>
wrote:
As far as I understand it, we just have to create a new authenticator, check for the
id_token_hint, if it is valid than we set the authenticated user, otherwise we send
attempted.
I can create a PR for that if it is that simple ;)
Am 09. Oktober 2015 um 07:41 schrieb Stian Thorgersen <sthorger(a)redhat.com>:
> It wasn't on our road map, but it looks easy to add
>
> On 9 October 2015 at 07:16, Michael Gerber <gerbermichi(a)me.com
<mailto:gerbermichi@me.com>> wrote:
> Hi,
> Do you have any plans to include the id_token_hint in the near future?
> id_token_hintOPTIONAL. ID Token previously issued by the Authorization Server being
passed as a hint about the End-User's current or past authenticated session with the
Client. If the End-User identified by the ID Token is logged in or is logged in by the
request, then the Authorization Server returns a positive response; otherwise, it SHOULD
return an error, such as login_required. When possible, an id_token_hint SHOULD be present
when prompt=none is used and an invalid_request error MAY be returned if it is not;
however, the server SHOULD respond successfully when possible, even if it is not present.
The Authorization Server need not be listed as an audience of the ID Token when it is used
as an id_token_hint value.If the ID Token received by the RP from the OP is encrypted, to
use it as an id_token_hint, the Client MUST decrypt the signed ID Token contained within
the encrypted ID Token. The Client MAY re-encrypt the signed ID token to the
Authentication Server using a key that enables the server to decrypt the ID Token, and use
the re-encrypted ID token as the id_token_hint value.
> Best
> Michael
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
<https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
1:21 a.m.
New subject: id_token_hint
I need some time to look into the use of id_token_hint as I'm not sure I
fully understand it. From what I've read so far I don't think the user
should be authenticated from the id_token_hint so no authenticator should
be required. It's only about checking the current logged-in user and seeing
if it's the same user has the application expects.
On 11 October 2015 at 17:34, Michael Gerber <gerbermichi(a)me.com> wrote:
I’ve created a jira task for that:
https://issues.jboss.org/browse/KEYCLOAK-1949
I already did an implementation proposal of that task, what do you think
of it?
https://github.com/gerbermichi/keycloak/commit/0ef36f0ac446fcf70272f2aed0...
On 09.10.2015, at 07:46, Michael Gerber <gerbermichi(a)me.com> wrote:
As far as I understand it, we just have to create a new authenticator,
check for the id_token_hint, if it is valid than we set the authenticated
user, otherwise we send attempted.
I can create a PR for that if it is that simple ;)
Am 09. Oktober 2015 um 07:41 schrieb Stian Thorgersen <sthorger(a)redhat.com
>:
It wasn't on our road map, but it looks easy to add
On 9 October 2015 at 07:16, Michael Gerber <gerbermichi(a)me.com> wrote:
> Hi,
> Do you have any plans to include the id_token_hint in the near future?
> id_token_hintOPTIONAL. ID Token previously issued by the Authorization
> Server being passed as a hint about the End-User's current or past
> authenticated session with the Client. If the End-User identified by the ID
> Token is logged in or is logged in by the request, then the Authorization
> Server returns a positive response; otherwise, it SHOULD return an error,
> such as login_required. When possible, an id_token_hint SHOULD be
> present when prompt=none is used and an invalid_request error MAY be
> returned if it is not; however, the server SHOULD respond successfully when
> possible, even if it is not present. The Authorization Server need not be
> listed as an audience of the ID Token when it is used as an id_token_hint
> value.If the ID Token received by the RP from the OP is encrypted, to
> use it as an id_token_hint, the Client MUST decrypt the signed ID Token
> contained within the encrypted ID Token. The Client MAY re-encrypt the
> signed ID token to the Authentication Server using a key that enables the
> server to decrypt the ID Token, and use the re-encrypted ID token as the
> id_token_hint value.
> Best
> Michael
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3683
days inactive
3686
days old
2 comments
2 participants
participants (2)
-
Michael Gerber -
Stian Thorgersen