Hello Nikola,
On Thu, 2018-12-20 at 16:57 +0100, Nikola Malenic wrote:
I have an use case where I have to authorize an action in my
application
taken by the user. Here is how it should go:
The user is logged in at KC and using my application. Now, my application
would need to authorize one user action by sending the user to KC, where he
would enter his OTP, and then, my application would get some kind of proof
that user authorized the action (I don't know what should that be, yet).
Seems like what you want is "step-up authentication". It's been on the list
since 2014, but AFAIK still no progress to the moment:
https://issues.jboss.org/browse/KEYCLOAK-847
https://issues.jboss.org/browse/KEYCLOAK-4182
http://lists.jboss.org/pipermail/keycloak-dev/2017-April/009245.html
I'm also adding Thomas Darimont to CC: as probably no one knows this topic better than
he does.
Do you have any idea how this could be achieved using KC? I guess
action SPI
would somehow be used.
If you're talking about Action Token SPI [1], I'm afraid this is not much relevant
here. Action tokens are issued by Keycloak and allow users to perform special actions like
password reset. OTOH, your case is about conditionally executing a part of authentication
flow on the client's request.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
Thank you in advance,
Nikola
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user