Hi Marek, would you think that the level of authentication should be stored
in the access token or rather as a separate cookie in the SSO server
context? I think it also requires some thoughts around triggering the MFA
on the adapter side.
On Mon, Nov 14, 2016 at 6:02 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
Right, we don't have step-up authentication OOTB right now.
In theory, you can implement some support of it by yourself, because we
have Authentication SPI. So you can do the flow, which will somehow differ
the required level of authentication (for example based on some request
parameter) and then choose the authenticators based on the required level
etc. But note that it likely won't be trivial to do this properly.
Marek
On 12/11/16 03:21, Nico Burbigh wrote:
> Hi Keycloak users, we have a requirment to provide step-up authentication.
> Looking at Keycloak server and its adapters, it appears there is no
> support
> for it out of the box.
>
> Also user group email
>
http://lists.jboss.org/pipermail/keycloak-user/2016-April/005707.html
> suggests it will come at some stage later.
>
> Has anyone used keycloak to provide step up authentication?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>