[keycloak-dev] OAuth2 Incremental Authorization
Bill Burke
bburke at redhat.com
Wed Apr 25 09:05:22 EDT 2018
I'll ping the OAuth WG, but, its kind of redundant with token
exchange. Unless client requires consent, not sure why this option
would be used. Interesting that they require refresh token as a
credential for public clients though.
On Wed, Apr 25, 2018 at 7:50 AM, Pedro Igor Silva <psilva at redhat.com> wrote:
> Yeah, I agree it should be the same authentication session. And that spec
> can be a good reference to make sure we are doing it correctly or at least
> based on other experiences around this requirement.
>
> >From what I have seen in oauth2 mailing list, people there are willing to
> make it a standard.
>
> On Wed, Apr 25, 2018 at 4:13 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Haven't read that spec yet. With Marek's work it should be possible for a
>> client to request additional scopes by redirecting to login screen again,
>> but there's probably more to it than that. One thing that at least comes to
>> mind is that it should be the same authentication session.
>>
>> On 24 April 2018 at 14:41, Pedro Igor Silva <psilva at redhat.com> wrote:
>>
>>> Hi,
>>>
>>> I think this is related with what we discussed in our last meeting
>>> regarding scopes.
>>>
>>> See https://datatracker.ietf.org/doc/draft-wdenniss-oauth-increm
>>> ental-auth/.
>>>
>>> We have that in AuthZ Services, but this should be pure OAuth2.
>>>
>>> Regards.
>>> Pedro Igor
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
Red Hat
More information about the keycloak-dev
mailing list