[keycloak-dev] make sending a request object mandatory for certain clients
Aron Bustya
aron.bustya.js at gmail.com
Fri Dec 1 22:44:38 EST 2017
Hi!
I have a use case where the server must accept authorization requests only
when they contain a signed request object (should be configurable per
client).
I have found a way to make the signing of the request object mandatory by
specifying a 'request.object.signature.alg' attribute on the client, but
this only applies if a request object exists in the first place.
I would like to propose a pull request: It defines a new client attribute
'request.object.required'. If this is set to 'true', the client must send a
request object when initiating an authorization request.
Current code can be checked here:
https://github.com/abustya/keycloak/commit/476912906a3ad0d290220a1f54abee073dba687a
What do you think?
Regards,
Áron Bustya
More information about the keycloak-dev
mailing list