4:27 a.m.
Hi,
Based on the Required Actions guide (
https://keycloak.gitbooks.io/documentation/server_admin/topics/users/requ...)
we've implemented a custom required action that acts a lot like Update
Password (it performs a few other sync items for us). One of our needs is
to automatically log the user in to their destination application upon
setting this password. This was working for us in 3.1 by creating a custom
template that was rendered upon the completion of the Update Password
action that forwarded the user to our application and set the necessary
cookies.
This no longer works in 3.2. We believe it has to do with the ability to
reuse required action links. Before, the link was one time use so it was
only working once, however our need is to make those links work unlimited
times until consumed. By setting a new challenge to the user after
updating their password, the token is no longer being marked as consumed
and the link remains working.
So I was wondering, what other ways could we achieve this behavior? It
sounds like a challenge isn't the right approach.
John
5:46 p.m.
Any thoughts?
On Thu, Jul 13, 2017 at 10:27 PM John D. Ament <john.d.ament(a)gmail.com>
wrote:
Hi,
Based on the Required Actions guide (
https://keycloak.gitbooks.io/documentation/server_admin/topics/users/requ...)
we've implemented a custom required action that acts a lot like Update
Password (it performs a few other sync items for us). One of our needs is
to automatically log the user in to their destination application upon
setting this password. This was working for us in 3.1 by creating a custom
template that was rendered upon the completion of the Update Password
action that forwarded the user to our application and set the necessary
cookies.
This no longer works in 3.2. We believe it has to do with the ability to
reuse required action links. Before, the link was one time use so it was
only working once, however our need is to make those links work unlimited
times until consumed. By setting a new challenge to the user after
updating their password, the token is no longer being marked as consumed
and the link remains working.
So I was wondering, what other ways could we achieve this behavior? It
sounds like a challenge isn't the right approach.
John
8:46 a.m.
There was a change in internals of authentication flows due to
cross-dc support. It seems that you need to use action token for
achieving this functionality. Action tokens have option to make them
expire after first successful use. Documentation is not rendered yet
but you can see the current version at [1]. Would something similar to
either [2] or [3] work for your case?
Note that action token API is not yet stabilized and comments to its
usability are more than welcome.
--Hynek
[1]
https://github.com/keycloak/keycloak-documentation/blob/master/server_dev...
[2]
https://github.com/keycloak/keycloak-quickstarts/tree/master/action-token...
[3]
https://github.com/keycloak/keycloak-quickstarts/tree/master/action-token...
On Wed, Jul 19, 2017 at 5:46 PM, John D. Ament <john.d.ament(a)gmail.com> wrote:
Any thoughts?
On Thu, Jul 13, 2017 at 10:27 PM John D. Ament <john.d.ament(a)gmail.com>
wrote:
> Hi,
>
> Based on the Required Actions guide (
>
https://keycloak.gitbooks.io/documentation/server_admin/topics/users/requ...)
> we've implemented a custom required action that acts a lot like Update
> Password (it performs a few other sync items for us). One of our needs is
> to automatically log the user in to their destination application upon
> setting this password. This was working for us in 3.1 by creating a custom
> template that was rendered upon the completion of the Update Password
> action that forwarded the user to our application and set the necessary
> cookies.
>
> This no longer works in 3.2. We believe it has to do with the ability to
> reuse required action links. Before, the link was one time use so it was
> only working once, however our need is to make those links work unlimited
> times until consumed. By setting a new challenge to the user after
> updating their password, the token is no longer being marked as consumed
> and the link remains working.
>
> So I was wondering, what other ways could we achieve this behavior? It
> sounds like a challenge isn't the right approach.
>
> John
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
--Hynek
2471
days inactive
2477
days old
2 comments
2 participants
participants (2)
-
Hynek Mlnarik -
John D. Ament