Don't know what you're talking about John....
A realm isn't SAML or OIDC based. The protocol is the choice of each
individual client application. Keycloak allows a mix of SAML and OIDC
client applications in the same SSO login session. In a brokering
situation a child IDP acts as a client to the parent IDP and must use
one of the protocols that the parent IDP supports.
On 3/6/17 10:09 AM, John D. Ament wrote:
At least for my use case, the max_age is moot. Its not by session,
but by
And just to be clear - if I'm sending an OIDC request from my client
to keycloak, and the realm is based on SAML, and that realm is
ForceAuthn enabled, then it would reprompt in the IDP (if that's how
everything's configured)
I'm assuming at that point, I would send a Bearer header and parse on
the backend with a JAX-RS adapter?
On Mon, Mar 6, 2017 at 10:04 AM Stian Thorgersen <sthorger(a)redhat.com
<mailto:sthorger@redhat.com>> wrote:
As we have prompt=login (I also spotted auth_time in the token) it
would be
really easy to add max_age that would actually be more useful than
prompt=login IMO.
On 6 March 2017 at 15:41, Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
> We support prompt=login.
>
>
> On 3/6/17 9:33 AM, Stian Thorgersen wrote:
> > OIDC has prompt=login and max_age params for it. Pretty sure
we don't
> > support either at the moment though.
> >
> > On 6 March 2017 at 15:14, John D. Ament
<john.d.ament(a)gmail.com <mailto:john.d.ament@gmail.com>> wrote:
> >
> >> On Mon, Mar 6, 2017 at 9:12 AM John Dennis
<jdennis(a)redhat.com <mailto:jdennis@redhat.com>> wrote:
> >>
> >>> On 03/06/2017 08:47 AM, John D. Ament wrote:
> >>>> Hi,
> >>>>
> >>>> I have a use case where I need to reauthenticate a client,
even if
> >> their
> >>>> session is active. I can use the Keycloak javascript
adapter on the
> >>> client
> >>>> side, if needed, and was wondering if this is something
built in? I
> >> was
> >>>> also expecting to leverage either the OIDC or SAML adapter
on the
> >> server
> >>>> side. Can that work, regardless or server side adapter?
> >>> In SAML you set ForceAuthn=True in the AuthnRequest.
> >>>
> >>>
> >> This is not SAML specific.
> >>
> >>
> >>> --
> >>> John
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
> >>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
> >>
https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
> >
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user