[keycloak-dev] OAuth2 Incremental Authorization

Pedro Igor Silva psilva at redhat.com
Wed Apr 25 11:24:14 EDT 2018


Yeah, I believe so but we could also think about something slightly more
complete/complex ... Like Youseff mentioned, the concept of security levels
could also be an option for something more richer and flexible. For
instance, we could have some way to allow users to:

* Create a security level
* Define what a security level means. For instance, it requires
authentication method X, claims A, B, C. Where claims can be anything, from
user's location to the network he is using.
* Define actions that should be taken in order to gain a security level.
For instance, ask for authentication method X, show a page to provide
arbitrary information.

Then based on the security level check for scopes that require a specific
security level or even allow applications to perform validations based on
the security level available from the token. We would also allow client
applications to redirect the user to Keycloak in order to start a "raise
your level" flow, etc ...

FYI, I'm also completely speculating here :)

On Wed, Apr 25, 2018 at 12:06 PM, Bill Burke <bburke at redhat.com> wrote:

> On Wed, Apr 25, 2018 at 10:45 AM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
> > Adaptive authentication is a separated beast though as it may also be
> > related to risk-based authentication/authorization. Some form of
> calculation
> > based on different sources of information to obtain some score to then
> take
> > some action. It is a hell of a feature depending on how much we want to
> > invest in it.
> >
>
> Lol, that *WOULD* be cool......I always worried that step-up
> authentication would be an edge case as most customers/users would
> want to require 2nd factor authentication up front.  Would a more
> common case be that a certain client scope requires re-authentication?
> i.e. to perform a sensitive operation?  FYI, I'm completely
> speculating here.
>
> --
> Bill Burke
> Red Hat
>


More information about the keycloak-dev mailing list