[keycloak-dev] Action tokens

Bill Burke bburke at redhat.com
Tue Mar 28 09:25:32 EDT 2017

IMO, action tokens should be implemented correctly, as a feature, not as 
an optimization to support cross-DC.  This means support for one time 
use policies, etc.

On 3/28/17 5:56 AM, Hynek Mlnarik wrote:
>>> * Aren't action tokens supposed to be independent of User sessions 
>>> anyways?
>>> * How can somebody continue with the login flow with an action token?
>>> Aren't you still going to have to obtain the user session?
> Not have to, and yes, I can make use of it to continue in the session 
> in progress.

I'm saying do you have to/should you verify that the action token 
originated from a specific session in order to continue the session?  I 
don't know, just asking.  These are all things you have to take into 
account and figure out how to easily hide or provide through the 
Authentication/Required Action SPI too.


More information about the keycloak-dev mailing list