7:32 a.m.
Hi Thomas, how do I do that? I pressed sign up in the top right corner and filled all that
in... Then I did 'log in' but it never seemed to show I had logged in
Matt
Matt Evans
Aconex
________________________________
From: Thomas Darimont <thomas.darimont(a)googlemail.com>
Sent: Friday, July 28, 2017 9:35:31 PM
To: Matt Evans
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] When should auth_time claim be updated?
Hello Matt,
you need to create a JBoss jira account.
Cheers,
Thomas
2017-07-28 8:32 GMT+02:00 Matt Evans
<mevans@aconex.com<mailto:mevans@aconex.com>>:
I've been trying to raise a jira ticket. I've gone to
https://issues.jboss.org/browse/KEYCLOAK , signed up, and logged in but I can't create
issues. The Create button isn't visible.
Do I need to do something else?
Thanks
Matt
-----Original Message-----
From: Marek Posolda [mailto:mposolda@redhat.com<mailto:mposolda@redhat.com>]
Sent: Thursday, 27 July 2017 8:48 PM
To: Matt Evans <mevans@aconex.com<mailto:mevans@aconex.com>>;
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: Re: [keycloak-user] When should auth_time claim be updated?
Looks like a bug. Could you please create JIRA for this?
Thanks,
Marek
On 26/07/17 01:19, Matt Evans wrote:
After looking at the code it seems that this is controlled for each
authentication attempt with the SSO_AUTH note, the CookieAuthenticator sets it as a client
note if cookie authentication succeeds, and the AuthenticationManager checks it and if
it's not true updates the auth_time. I can't see anywhere that clears it. I'm
not sure how long client notes live, but I assume longer than the current authentication
attempt, because once it's set, I can see that it stays true for all my
"prompt=login" authentication attempts after that.
I changed the CookieAuthenticator to clear the flag first and this seems to fix the
problem for me, however, I'm not sure if that's the best approach?
Matt
-----Original Message-----
From: Marek Posolda [mailto:mposolda@redhat.com<mailto:mposolda@redhat.com>]
Sent: Saturday, 22 July 2017 12:45 AM
To: Matt Evans <mevans@aconex.com<mailto:mevans@aconex.com>>; keycloak-user
<keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
Subject: Re: [keycloak-user] When should auth_time claim be updated?
On 21/07/17 07:57, Matt Evans wrote:
> Hi
>
> We are working with keycloak v3.2.0 and are using 'prompt=login' to initiate
a re-authentication for sensitive actions, and we use the auth_time claim to determine if
this should occur.
>
> Ordinarily each time we redirect to the auth endpoint with 'prompt=login' the
auth_time is updated to the time that the authentication occurred.
>
> However, if we then redirect to the auth endpoint and the cookie is valid and used,
any subsequent time after this authentication that we use the auth endpoint with
'prompt=login' the auth_time claim is not updated.
>
> Is this intended behaviour?
Yes. The claim "auth_time" points to the time of the active authentication. And
the re-authentication with SSO cookie is not treated as "active" authentication,
so this won't update auth_time. With "prompt=login" you need actively
authenticate, so that will update auth_time.
Marek
> Thanks
>
> Matt
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user