[keycloak-dev] [KEYCLOAK-996] - Allow application to select provider

Stian Thorgersen stian at redhat.com
Mon Jan 26 02:18:14 EST 2015


Can you elaborate a bit more on the idea? At first glance to me it seems like we'd use one field for two quite different purposes. Level of assurance is abstract (level 0, 1, 2), while authentication mechanism is more concrete (idp-a, password, totp). I think an application might want to request level-1, but not care about mechanism used, while another application would want to select idp-a, but not care about the level of assurance.

----- Original Message -----
> From: "Pedro Igor Silva" <psilva at redhat.com>
> To: "keycloak dev" <keycloak-dev at lists.jboss.org>
> Sent: Friday, January 23, 2015 8:23:19 PM
> Subject: [keycloak-dev] [KEYCLOAK-996] - Allow application to select provider
> 
> Hi,
> 
>     KEYCLOAK-996 is about allowing clients to select an existing identity
>     provider when sending an authentication request to the server.
>     Initially, this is all about passing the IdP id and automatically
>     redirect the user to its login page. Without even show KC's login page.
> 
>     IMO instead of using an "idp_hint", like proposed in that JIRA, we may
>     start using the "acr_values" parameter as defined by OIDC specs. I think
>     this parameter better fits the purpose and will allow us to support LoAs
>     in the future as well.
> 
>     The acr value in this case would be something like "idp-X", where X is
>     the id of the identity provider.
> 
>     What do you think ?
> 
> Regards.
> Pedro Igor
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 


More information about the keycloak-dev mailing list