Thank you very much, Dmitry.
It seems that there is no any progress on this still so I'll probably have to
implement something myself.
Maybe I should start by defining custom endpoint where users would be redirected to enter
the OTP, not leveraging authentication SPI at all, what do you think?
Best regards,
Nikola
-----Original Message-----
From: Dmitry Telegin [mailto:dt@acutus.pro]
Sent: Friday, December 21, 2018 2:30 PM
To: Nikola Malenic <nikola.malenic(a)netsetglobal.rs>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Authorization of action in application (client of KC)
Sorry, forgot the link:
https://www.keycloak.org/docs/latest/server_development/index.html#_actio...
Dmitry
On Fri, 2018-12-21 at 16:19 +0300, Dmitry Telegin wrote:
Hello Nikola,
On Thu, 2018-12-20 at 16:57 +0100, Nikola Malenic wrote:
> I have an use case where I have to authorize an action in my
> application taken by the user. Here is how it should go:
>
> The user is logged in at KC and using my application. Now, my
> application would need to authorize one user action by sending the
> user to KC, where he would enter his OTP, and then, my application
> would get some kind of proof that user authorized the action (I
> don't know what should that be, yet).
Seems like what you want is "step-up authentication". It's been on the
list since 2014, but AFAIK still no progress to the moment:
https://issues.jboss.org/browse/KEYCLOAK-847
https://issues.jboss.org/browse/KEYCLOAK-4182
http://lists.jboss.org/pipermail/keycloak-dev/2017-April/009245.html
I'm also adding Thomas Darimont to CC: as probably no one knows this
topic better than he does.
> Do you have any idea how this could be achieved using KC? I guess
> action SPI would somehow be used.
If you're talking about Action Token SPI [1], I'm afraid this is not
much relevant here. Action tokens are issued by Keycloak and allow
users to perform special actions like password reset. OTOH, your case
is about conditionally executing a part of authentication flow on the
client's request.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
>
>
>
> Thank you in advance,
>
> Nikola
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user