[keycloak-dev] Action tokens
Hynek Mlnarik
hmlnarik at redhat.com
Tue Mar 28 09:46:27 EDT 2017
On Tue, Mar 28, 2017 at 3:25 PM, Bill Burke <bburke at redhat.com> wrote:
> IMO, action tokens should be implemented correctly, as a feature, not as an
> optimization to support cross-DC. This means support for one time use
> policies, etc.
Okay, it seems that support for single use should be implemented as a
service and then used by action tokens.
So this can be implemented as a cache that would be shared across the
cluster / DCs with as little information as possible. Preliminary
implementation exists in [1], I'll plug that into current code.
[1] https://github.com/keycloak/keycloak/pull/3918
> On 3/28/17 5:56 AM, Hynek Mlnarik wrote:
>>
>>
>>>> * Aren't action tokens supposed to be independent of User sessions
>>>> anyways?
>>>> * How can somebody continue with the login flow with an action token?
>>>> Aren't you still going to have to obtain the user session?
>>
>>
>> Not have to, and yes, I can make use of it to continue in the session in
>> progress.
>
>
> I'm saying do you have to/should you verify that the action token originated
> from a specific session in order to continue the session? I don't know,
> just asking. These are all things you have to take into account and figure
> out how to easily hide or provide through the Authentication/Required Action
> SPI too.
I don't think I have to (for instance expiration of the action token
to reset password can be e.g. 2 days - much longer than that of a
session). But I think that we should support case when the user is in
the middle of the flow and is asked to verify their e-mail - here we
should continue with the next step in the flow.
--Hynek
More information about the keycloak-dev
mailing list