[keycloak-dev] Action tokens
Bill Burke
bburke at redhat.com
Tue Mar 28 09:25:32 EDT 2017
IMO, action tokens should be implemented correctly, as a feature, not as
an optimization to support cross-DC. This means support for one time
use policies, etc.
On 3/28/17 5:56 AM, Hynek Mlnarik wrote:
>
>>> * Aren't action tokens supposed to be independent of User sessions
>>> anyways?
>>> * How can somebody continue with the login flow with an action token?
>>> Aren't you still going to have to obtain the user session?
>
> Not have to, and yes, I can make use of it to continue in the session
> in progress.
I'm saying do you have to/should you verify that the action token
originated from a specific session in order to continue the session? I
don't know, just asking. These are all things you have to take into
account and figure out how to easily hide or provide through the
Authentication/Required Action SPI too.
Bill
More information about the keycloak-dev
mailing list