[keycloak-dev] Thinking about step-up authentication and token timeouts
Bill Burke
bburke at redhat.com
Fri Apr 29 10:19:28 EDT 2016
Sounds great. I hope we don't have to implement this for SAML too ;)
On 4/29/2016 12:02 AM, Stian Thorgersen wrote:
> Clients should be able to obtain tokens with reduced scope and longer
> or shorter expiration, then later request new tokens with increased
> scope and different expiration. They should also be able to require
> different levels of authentication and also require re-authentication.
>
> An application may for example:
>
> * At first only need users email - this would allow showing the name +
> email. In this situation a long expiration access token in combination
> with implicit flow would do. It's also not necessary to
> re-authenticate the user and a user that has been logged-in for months
> or even a year is fine.
>
> * When a user clicks on orders it would require the password and
> extend scope to be able to view orders. Now you'll want to switch to
> short expiration access tokens and authorization code grant. You'll
> also want to make sure the user logged-in fairly recently, max 30 days
> could be sensible.
>
> * When a user tries to purchase something the user now has to provide
> the OTP to be able to purchase with saved credit card details. You'll
> also want to make sure the user logged-in very recently, max a day
> could be required. There may also be cases where you always want the
> user to re-authenticate, for example when trying to purchase something
> over a certain price level.
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160429/f4cb0018/attachment.html
More information about the keycloak-dev
mailing list