[keycloak-dev] OAuth2 Incremental Authorization

Schuster Sebastian (INST/ESY1) Sebastian.Schuster at bosch-si.com
Wed Apr 25 12:05:08 EDT 2018


I think security levels should not be tied to client scopes directly because they represent the client's view (what he needs to ask for). Security levels should be bound to the resource servers view because he in the end decides what level of authentication is necessary to get access, e.g. by means of having certain roles in the token... However, I would like that feature.

Best regards,
Sebastian

Mit freundlichen Grüßen / Best regards

Dr.-Ing.  Sebastian Schuster

Engineering and Support (INST/ESY1) 
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B 
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn 



-----Original Message-----
From: keycloak-dev-bounces at lists.jboss.org [mailto:keycloak-dev-bounces at lists.jboss.org] On Behalf Of Bill Burke
Sent: Mittwoch, 25. April 2018 17:06
To: Pedro Igor Silva <psilva at redhat.com>
Cc: Thorgersen, Stian <stian at redhat.com>; keycloak-dev <keycloak-dev at lists.jboss.org>
Subject: Re: [keycloak-dev] OAuth2 Incremental Authorization

On Wed, Apr 25, 2018 at 10:45 AM, Pedro Igor Silva <psilva at redhat.com> wrote:
> Adaptive authentication is a separated beast though as it may also be 
> related to risk-based authentication/authorization. Some form of 
> calculation based on different sources of information to obtain some 
> score to then take some action. It is a hell of a feature depending on 
> how much we want to invest in it.
>

Lol, that *WOULD* be cool......I always worried that step-up authentication would be an edge case as most customers/users would want to require 2nd factor authentication up front.  Would a more common case be that a certain client scope requires re-authentication?
i.e. to perform a sensitive operation?  FYI, I'm completely speculating here.

--
Bill Burke
Red Hat
_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev



More information about the keycloak-dev mailing list