[keycloak-dev] per-client authentication flows

Bill Burke bburke at redhat.com
Wed Jan 17 14:37:12 EST 2018

TLDR;  Per client authentication flows?  Client can be configured to
override realm authentication flows.


I'm specing out how we will replace OSIN (openshift oauth server) with
Keycloak.  One issue is that each oauth client in OSIN can specify the
authentication flow they want.  Non-browser clients like the 'oc' cmd
line tool want a 401, challenge-based protocol...Web console,
obviously wants HTML.  They All OSIN clients use the OAuth
auth-code-grant irregardless if they are non-brwoser or browser
clients.  Keycloak assumes this oauth grant type is browser based and
expects non-browser clients to use Resource Credentials grant or
client credential grant.  OSIN does not support this and we (keycloak)
have to be backward compatible.


I think it would be pretty simple to add the ability to override
authentication flows per client.  I don't think this would be a
one-off for OSIN as we could use it to implement other non-browser
input protocols.  For example, I wanted to be able to have a
text-based auth flow for command line logins.  I think this could be a
way to implement that.
Bill Burke
Red Hat

More information about the keycloak-dev mailing list