7:47 a.m.
Hi,
I have a use case where I need to reauthenticate a client, even if their
session is active. I can use the Keycloak javascript adapter on the client
side, if needed, and was wondering if this is something built in? I was
also expecting to leverage either the OIDC or SAML adapter on the server
side. Can that work, regardless or server side adapter?
John
8:05 a.m.
On 03/06/2017 08:47 AM, John D. Ament wrote:
Hi,
I have a use case where I need to reauthenticate a client, even if their
session is active. I can use the Keycloak javascript adapter on the client
side, if needed, and was wondering if this is something built in? I was
also expecting to leverage either the OIDC or SAML adapter on the server
side. Can that work, regardless or server side adapter?
In SAML you set ForceAuthn=True in the AuthnRequest.
--
John
8:14 a.m.
On Mon, Mar 6, 2017 at 9:12 AM John Dennis <jdennis(a)redhat.com> wrote:
On 03/06/2017 08:47 AM, John D. Ament wrote:
> Hi,
>
> I have a use case where I need to reauthenticate a client, even if their
> session is active. I can use the Keycloak javascript adapter on the
client
> side, if needed, and was wondering if this is something built in? I was
> also expecting to leverage either the OIDC or SAML adapter on the server
> side. Can that work, regardless or server side adapter?
In SAML you set ForceAuthn=True in the AuthnRequest.
This is not SAML specific.
--
John
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:33 a.m.
OIDC has prompt=login and max_age params for it. Pretty sure we don't
support either at the moment though.
On 6 March 2017 at 15:14, John D. Ament <john.d.ament(a)gmail.com> wrote:
On Mon, Mar 6, 2017 at 9:12 AM John Dennis <jdennis(a)redhat.com>
wrote:
> On 03/06/2017 08:47 AM, John D. Ament wrote:
> > Hi,
> >
> > I have a use case where I need to reauthenticate a client, even if
their
> > session is active. I can use the Keycloak javascript adapter on the
> client
> > side, if needed, and was wondering if this is something built in? I
was
> > also expecting to leverage either the OIDC or SAML adapter on the
server
> > side. Can that work, regardless or server side adapter?
>
> In SAML you set ForceAuthn=True in the AuthnRequest.
>
>
This is not SAML specific.
>
> --
> John
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:41 a.m.
We support prompt=login.
On 3/6/17 9:33 AM, Stian Thorgersen wrote:
OIDC has prompt=login and max_age params for it. Pretty sure we
don't
support either at the moment though.
On 6 March 2017 at 15:14, John D. Ament <john.d.ament(a)gmail.com> wrote:
> On Mon, Mar 6, 2017 at 9:12 AM John Dennis <jdennis(a)redhat.com> wrote:
>
>> On 03/06/2017 08:47 AM, John D. Ament wrote:
>>> Hi,
>>>
>>> I have a use case where I need to reauthenticate a client, even if
> their
>>> session is active. I can use the Keycloak javascript adapter on the
>> client
>>> side, if needed, and was wondering if this is something built in? I
> was
>>> also expecting to leverage either the OIDC or SAML adapter on the
> server
>>> side. Can that work, regardless or server side adapter?
>> In SAML you set ForceAuthn=True in the AuthnRequest.
>>
>>
> This is not SAML specific.
>
>
>> --
>> John
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:55 a.m.
As we have prompt=login (I also spotted auth_time in the token) it would be
really easy to add max_age that would actually be more useful than
prompt=login IMO.
On 6 March 2017 at 15:41, Bill Burke <bburke(a)redhat.com> wrote:
We support prompt=login.
On 3/6/17 9:33 AM, Stian Thorgersen wrote:
> OIDC has prompt=login and max_age params for it. Pretty sure we don't
> support either at the moment though.
>
> On 6 March 2017 at 15:14, John D. Ament <john.d.ament(a)gmail.com> wrote:
>
>> On Mon, Mar 6, 2017 at 9:12 AM John Dennis <jdennis(a)redhat.com> wrote:
>>
>>> On 03/06/2017 08:47 AM, John D. Ament wrote:
>>>> Hi,
>>>>
>>>> I have a use case where I need to reauthenticate a client, even if
>> their
>>>> session is active. I can use the Keycloak javascript adapter on the
>>> client
>>>> side, if needed, and was wondering if this is something built in? I
>> was
>>>> also expecting to leverage either the OIDC or SAML adapter on the
>> server
>>>> side. Can that work, regardless or server side adapter?
>>> In SAML you set ForceAuthn=True in the AuthnRequest.
>>>
>>>
>> This is not SAML specific.
>>
>>
>>> --
>>> John
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:09 a.m.
At least for my use case, the max_age is moot. Its not by session, but by
And just to be clear - if I'm sending an OIDC request from my client to
keycloak, and the realm is based on SAML, and that realm is ForceAuthn
enabled, then it would reprompt in the IDP (if that's how everything's
configured)
I'm assuming at that point, I would send a Bearer header and parse on the
backend with a JAX-RS adapter?
On Mon, Mar 6, 2017 at 10:04 AM Stian Thorgersen <sthorger(a)redhat.com>
wrote:
As we have prompt=login (I also spotted auth_time in the token) it
would be
really easy to add max_age that would actually be more useful than
prompt=login IMO.
On 6 March 2017 at 15:41, Bill Burke <bburke(a)redhat.com> wrote:
> We support prompt=login.
>
>
> On 3/6/17 9:33 AM, Stian Thorgersen wrote:
> > OIDC has prompt=login and max_age params for it. Pretty sure we don't
> > support either at the moment though.
> >
> > On 6 March 2017 at 15:14, John D. Ament <john.d.ament(a)gmail.com>
wrote:
> >
> >> On Mon, Mar 6, 2017 at 9:12 AM John Dennis <jdennis(a)redhat.com>
wrote:
> >>
> >>> On 03/06/2017 08:47 AM, John D. Ament wrote:
> >>>> Hi,
> >>>>
> >>>> I have a use case where I need to reauthenticate a client, even if
> >> their
> >>>> session is active. I can use the Keycloak javascript adapter on
the
> >>> client
> >>>> side, if needed, and was wondering if this is something built in?
I
> >> was
> >>>> also expecting to leverage either the OIDC or SAML adapter on the
> >> server
> >>>> side. Can that work, regardless or server side adapter?
> >>> In SAML you set ForceAuthn=True in the AuthnRequest.
> >>>
> >>>
> >> This is not SAML specific.
> >>
> >>
> >>> --
> >>> John
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user(a)lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user(a)lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:18 a.m.
Don't know what you're talking about John....
A realm isn't SAML or OIDC based. The protocol is the choice of each
individual client application. Keycloak allows a mix of SAML and OIDC
client applications in the same SSO login session. In a brokering
situation a child IDP acts as a client to the parent IDP and must use
one of the protocols that the parent IDP supports.
On 3/6/17 10:09 AM, John D. Ament wrote:
At least for my use case, the max_age is moot. Its not by session,
but by
And just to be clear - if I'm sending an OIDC request from my client
to keycloak, and the realm is based on SAML, and that realm is
ForceAuthn enabled, then it would reprompt in the IDP (if that's how
everything's configured)
I'm assuming at that point, I would send a Bearer header and parse on
the backend with a JAX-RS adapter?
On Mon, Mar 6, 2017 at 10:04 AM Stian Thorgersen <sthorger(a)redhat.com
<mailto:sthorger@redhat.com>> wrote:
As we have prompt=login (I also spotted auth_time in the token) it
would be
really easy to add max_age that would actually be more useful than
prompt=login IMO.
On 6 March 2017 at 15:41, Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
> We support prompt=login.
>
>
> On 3/6/17 9:33 AM, Stian Thorgersen wrote:
> > OIDC has prompt=login and max_age params for it. Pretty sure
we don't
> > support either at the moment though.
> >
> > On 6 March 2017 at 15:14, John D. Ament
<john.d.ament(a)gmail.com <mailto:john.d.ament@gmail.com>> wrote:
> >
> >> On Mon, Mar 6, 2017 at 9:12 AM John Dennis
<jdennis(a)redhat.com <mailto:jdennis@redhat.com>> wrote:
> >>
> >>> On 03/06/2017 08:47 AM, John D. Ament wrote:
> >>>> Hi,
> >>>>
> >>>> I have a use case where I need to reauthenticate a client,
even if
> >> their
> >>>> session is active. I can use the Keycloak javascript
adapter on the
> >>> client
> >>>> side, if needed, and was wondering if this is something
built in? I
> >> was
> >>>> also expecting to leverage either the OIDC or SAML adapter
on the
> >> server
> >>>> side. Can that work, regardless or server side adapter?
> >>> In SAML you set ForceAuthn=True in the AuthnRequest.
> >>>
> >>>
> >> This is not SAML specific.
> >>
> >>
> >>> --
> >>> John
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:20 a.m.
Bill,
In my use case, a realm ~~ a tenant, and typically a realm will only have
one identity source. So sorry yeah i just cross the two. But basically,
all the clients will be OIDC based, but there will be SAML based IDPs in
the mix.
John
On Mon, Mar 6, 2017 at 10:18 AM Bill Burke <bburke(a)redhat.com> wrote:
Don't know what you're talking about John....
A realm isn't SAML or OIDC based. The protocol is the choice of each
individual client application. Keycloak allows a mix of SAML and OIDC
client applications in the same SSO login session. In a brokering
situation a child IDP acts as a client to the parent IDP and must use one
of the protocols that the parent IDP supports.
On 3/6/17 10:09 AM, John D. Ament wrote:
At least for my use case, the max_age is moot. Its not by session, but
by
And just to be clear - if I'm sending an OIDC request from my client to
keycloak, and the realm is based on SAML, and that realm is ForceAuthn
enabled, then it would reprompt in the IDP (if that's how everything's
configured)
I'm assuming at that point, I would send a Bearer header and parse on the
backend with a JAX-RS adapter?
On Mon, Mar 6, 2017 at 10:04 AM Stian Thorgersen <sthorger(a)redhat.com>
wrote:
As we have prompt=login (I also spotted auth_time in the token) it would be
really easy to add max_age that would actually be more useful than
prompt=login IMO.
On 6 March 2017 at 15:41, Bill Burke <bburke(a)redhat.com> wrote:
> We support prompt=login.
>
>
> On 3/6/17 9:33 AM, Stian Thorgersen wrote:
> > OIDC has prompt=login and max_age params for it. Pretty sure we don't
> > support either at the moment though.
> >
> > On 6 March 2017 at 15:14, John D. Ament <john.d.ament(a)gmail.com>
wrote:
> >
> >> On Mon, Mar 6, 2017 at 9:12 AM John Dennis <jdennis(a)redhat.com>
wrote:
> >>
> >>> On 03/06/2017 08:47 AM, John D. Ament wrote:
> >>>> Hi,
> >>>>
> >>>> I have a use case where I need to reauthenticate a client, even if
> >> their
> >>>> session is active. I can use the Keycloak javascript adapter on
the
> >>> client
> >>>> side, if needed, and was wondering if this is something built in?
I
> >> was
> >>>> also expecting to leverage either the OIDC or SAML adapter on the
> >> server
> >>>> side. Can that work, regardless or server side adapter?
> >>> In SAML you set ForceAuthn=True in the AuthnRequest.
> >>>
> >>>
> >> This is not SAML specific.
> >>
> >>
> >>> --
> >>> John
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user(a)lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user(a)lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:11 a.m.
prompt=login is just as useful. It allows applications to require
re-authentication in order to perform a specific action in the app.
On 3/6/17 9:55 AM, Stian Thorgersen wrote:
As we have prompt=login (I also spotted auth_time in the token) it
would be really easy to add max_age that would actually be more useful
than prompt=login IMO.
On 6 March 2017 at 15:41, Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
We support prompt=login.
On 3/6/17 9:33 AM, Stian Thorgersen wrote:
> OIDC has prompt=login and max_age params for it. Pretty sure we
don't
> support either at the moment though.
>
> On 6 March 2017 at 15:14, John D. Ament <john.d.ament(a)gmail.com
<mailto:john.d.ament@gmail.com>> wrote:
>
>> On Mon, Mar 6, 2017 at 9:12 AM John Dennis <jdennis(a)redhat.com
<mailto:jdennis@redhat.com>> wrote:
>>
>>> On 03/06/2017 08:47 AM, John D. Ament wrote:
>>>> Hi,
>>>>
>>>> I have a use case where I need to reauthenticate a client,
even if
>> their
>>>> session is active. I can use the Keycloak javascript adapter
on the
>>> client
>>>> side, if needed, and was wondering if this is something built
in? I
>> was
>>>> also expecting to leverage either the OIDC or SAML adapter on the
>> server
>>>> side. Can that work, regardless or server side adapter?
>>> In SAML you set ForceAuthn=True in the AuthnRequest.
>>>
>>>
>> This is not SAML specific.
>>
>>
>>> --
>>> John
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
2:13 a.m.
True, I was focusing just on require re-auth every X min. I reckon we
should add max_age and use it for the admin console with a
sensible/configurable timeout.
On 6 March 2017 at 16:11, Bill Burke <bburke(a)redhat.com> wrote:
prompt=login is just as useful. It allows applications to require
re-authentication in order to perform a specific action in the app.
On 3/6/17 9:55 AM, Stian Thorgersen wrote:
As we have prompt=login (I also spotted auth_time in the token) it would
be really easy to add max_age that would actually be more useful than
prompt=login IMO.
On 6 March 2017 at 15:41, Bill Burke <bburke(a)redhat.com> wrote:
> We support prompt=login.
>
>
> On 3/6/17 9:33 AM, Stian Thorgersen wrote:
> > OIDC has prompt=login and max_age params for it. Pretty sure we don't
> > support either at the moment though.
> >
> > On 6 March 2017 at 15:14, John D. Ament <john.d.ament(a)gmail.com> wrote:
> >
> >> On Mon, Mar 6, 2017 at 9:12 AM John Dennis <jdennis(a)redhat.com>
wrote:
> >>
> >>> On 03/06/2017 08:47 AM, John D. Ament wrote:
> >>>> Hi,
> >>>>
> >>>> I have a use case where I need to reauthenticate a client, even if
> >> their
> >>>> session is active. I can use the Keycloak javascript adapter on
the
> >>> client
> >>>> side, if needed, and was wondering if this is something built in?
I
> >> was
> >>>> also expecting to leverage either the OIDC or SAML adapter on the
> >> server
> >>>> side. Can that work, regardless or server side adapter?
> >>> In SAML you set ForceAuthn=True in the AuthnRequest.
> >>>
> >>>
> >> This is not SAML specific.
> >>
> >>
> >>> --
> >>> John
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user(a)lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user(a)lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
10:12 a.m.
+1
We already have support for max_age on the server including some support
in keycloak.js . That was recommended for OIDC certification. Seems that
the only missing part will be the support in the admin console itself.
Marek
On 07/03/17 09:13, Stian Thorgersen wrote:
True, I was focusing just on require re-auth every X min. I reckon
we
should add max_age and use it for the admin console with a
sensible/configurable timeout.
On 6 March 2017 at 16:11, Bill Burke <bburke(a)redhat.com> wrote:
> prompt=login is just as useful. It allows applications to require
> re-authentication in order to perform a specific action in the app.
>
> On 3/6/17 9:55 AM, Stian Thorgersen wrote:
>
> As we have prompt=login (I also spotted auth_time in the token) it would
> be really easy to add max_age that would actually be more useful than
> prompt=login IMO.
>
> On 6 March 2017 at 15:41, Bill Burke <bburke(a)redhat.com> wrote:
>
>> We support prompt=login.
>>
>>
>> On 3/6/17 9:33 AM, Stian Thorgersen wrote:
>>> OIDC has prompt=login and max_age params for it. Pretty sure we don't
>>> support either at the moment though.
>>>
>>> On 6 March 2017 at 15:14, John D. Ament <john.d.ament(a)gmail.com>
wrote:
>>>
>>>> On Mon, Mar 6, 2017 at 9:12 AM John Dennis <jdennis(a)redhat.com>
wrote:
>>>>
>>>>> On 03/06/2017 08:47 AM, John D. Ament wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I have a use case where I need to reauthenticate a client, even
if
>>>> their
>>>>>> session is active. I can use the Keycloak javascript adapter on
the
>>>>> client
>>>>>> side, if needed, and was wondering if this is something built in?
I
>>>> was
>>>>>> also expecting to leverage either the OIDC or SAML adapter on
the
>>>> server
>>>>>> side. Can that work, regardless or server side adapter?
>>>>> In SAML you set ForceAuthn=True in the AuthnRequest.
>>>>>
>>>>>
>>>> This is not SAML specific.
>>>>
>>>>
>>>>> --
>>>>> John
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
6:54 a.m.
So one question though - and its my lack of familiarity with Keycloak. If
I'm using the javascript adapter, do I have to use the OIDC connector on
the server side? Or would I have two clients (one backend and one frontend)?
I still have the need to support IDP initiated, and can spin up a backend
to handle that without an issue, but this forcing re-authentication is
basically client side, and always represents an SP initiated action
(regardless of SAML or OIDC).
John
On Tue, Mar 7, 2017 at 11:33 AM Marek Posolda <mposolda(a)redhat.com> wrote:
+1
We already have support for max_age on the server including some support
in keycloak.js . That was recommended for OIDC certification. Seems that
the only missing part will be the support in the admin console itself.
Marek
On 07/03/17 09:13, Stian Thorgersen wrote:
> True, I was focusing just on require re-auth every X min. I reckon we
> should add max_age and use it for the admin console with a
> sensible/configurable timeout.
>
> On 6 March 2017 at 16:11, Bill Burke <bburke(a)redhat.com> wrote:
>
>> prompt=login is just as useful. It allows applications to require
>> re-authentication in order to perform a specific action in the app.
>>
>> On 3/6/17 9:55 AM, Stian Thorgersen wrote:
>>
>> As we have prompt=login (I also spotted auth_time in the token) it would
>> be really easy to add max_age that would actually be more useful than
>> prompt=login IMO.
>>
>> On 6 March 2017 at 15:41, Bill Burke <bburke(a)redhat.com> wrote:
>>
>>> We support prompt=login.
>>>
>>>
>>> On 3/6/17 9:33 AM, Stian Thorgersen wrote:
>>>> OIDC has prompt=login and max_age params for it. Pretty sure we
don't
>>>> support either at the moment though.
>>>>
>>>> On 6 March 2017 at 15:14, John D. Ament <john.d.ament(a)gmail.com>
wrote:
>>>>
>>>>> On Mon, Mar 6, 2017 at 9:12 AM John Dennis
<jdennis(a)redhat.com>
wrote:
>>>>>
>>>>>> On 03/06/2017 08:47 AM, John D. Ament wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I have a use case where I need to reauthenticate a client,
even if
>>>>> their
>>>>>>> session is active. I can use the Keycloak javascript
adapter on
the
>>>>>> client
>>>>>>> side, if needed, and was wondering if this is something
built in?
I
>>>>> was
>>>>>>> also expecting to leverage either the OIDC or SAML adapter
on the
>>>>> server
>>>>>>> side. Can that work, regardless or server side adapter?
>>>>>> In SAML you set ForceAuthn=True in the AuthnRequest.
>>>>>>
>>>>>>
>>>>> This is not SAML specific.
>>>>>
>>>>>
>>>>>> --
>>>>>> John
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user(a)lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2652
days inactive
2654
days old
12 comments
5 participants
participants (5)
-
Bill Burke -
John D. Ament -
John Dennis -
Marek Posolda -
Stian Thorgersen