We don't have support for this at the moment and would like to do it at some point. It would mainly be a matter of adding the authentication time to the token as well as implementing support for prompt=login (see http://openid.net/specs/openid-connect-implicit-1_0.html#rfc.section.2.1.1.1).

You could probably achieve the same with a custom authentication flow and a custom protocol mapper that adds the authentication time to the token.

On 8 April 2016 at 01:35, Richard Lavallee <rllavallee@hotmail.com> wrote:

Does anyone know the answer to this?

I want to setup up a Keycloak SSO for, say, five apps: only one of which is required (by U.S. State Law) to become logged out upon ten inactive minutes timeout.
How can I achieve this in Keycloak?

So for example: user signs in to Keycloak and begins working in APP1 then switches to APP2 and stays there for more than ten minutes. User re-visits APP1 which has been idle for more than ten minutes. By law he needs to re-authenticate to APP1 even though he remains already authenticated in Keycloak. How to force re-authentication for at least APP1?

-Richard

_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user