[keycloak-dev] make sending a request object mandatory for certain clients

Aron Bustya aron.bustya.js at gmail.com
Fri Dec 1 22:44:38 EST 2017


Hi!

I have a use case where the server must accept authorization requests only
when they contain a signed request object (should be configurable per
client).

I have found a way to make the signing of the request object mandatory by
specifying a 'request.object.signature.alg' attribute on the client, but
this only applies if a request object exists in the first place.

I would like to propose a pull request: It defines a new client attribute
'request.object.required'. If this is set to 'true', the client must send a
request object when initiating an authorization request.

Current code can be checked here:
https://github.com/abustya/keycloak/commit/476912906a3ad0d290220a1f54abee073dba687a

What do you think?

Regards,
Áron Bustya


More information about the keycloak-dev mailing list