[keycloak-dev] Action tokens

Hynek Mlnarik hmlnarik at redhat.com
Tue Mar 28 09:46:27 EDT 2017

On Tue, Mar 28, 2017 at 3:25 PM, Bill Burke <bburke at redhat.com> wrote:
> IMO, action tokens should be implemented correctly, as a feature, not as an
> optimization to support cross-DC.  This means support for one time use
> policies, etc.

Okay, it seems that support for single use should be implemented as a
service and then used by action tokens.

So this can be implemented as a cache that would be shared across the
cluster / DCs with as little information as possible. Preliminary
implementation exists in [1], I'll plug that into current code.

[1] https://github.com/keycloak/keycloak/pull/3918

> On 3/28/17 5:56 AM, Hynek Mlnarik wrote:
>>>> * Aren't action tokens supposed to be independent of User sessions
>>>> anyways?
>>>> * How can somebody continue with the login flow with an action token?
>>>> Aren't you still going to have to obtain the user session?
>> Not have to, and yes, I can make use of it to continue in the session in
>> progress.
> I'm saying do you have to/should you verify that the action token originated
> from a specific session in order to continue the session?  I don't know,
> just asking.  These are all things you have to take into account and figure
> out how to easily hide or provide through the Authentication/Required Action
> SPI too.

I don't think I have to (for instance expiration of the action token
to reset password can be e.g. 2 days - much longer than that of a
session). But I think that we should support case when the user is in
the middle of the flow and is asked to verify their e-mail - here we
should continue with the next step in the flow.


More information about the keycloak-dev mailing list