[keycloak-dev] per-client authentication flows
Stian Thorgersen
sthorger at redhat.com
Thu Jan 18 10:44:51 EST 2018
Definitively makes sense for the 'Direct Grant Flow'.
Did you also think about it for the 'Browser Flow'? That doesn't make sense
to me as I don't think the client should have any control on the SSO flow.
On 17 January 2018 at 20:37, Bill Burke <bburke at redhat.com> wrote:
> TLDR; Per client authentication flows? Client can be configured to
> override realm authentication flows.
>
> Background:
>
> I'm specing out how we will replace OSIN (openshift oauth server) with
> Keycloak. One issue is that each oauth client in OSIN can specify the
> authentication flow they want. Non-browser clients like the 'oc' cmd
> line tool want a 401, challenge-based protocol...Web console,
> obviously wants HTML. They All OSIN clients use the OAuth
> auth-code-grant irregardless if they are non-brwoser or browser
> clients. Keycloak assumes this oauth grant type is browser based and
> expects non-browser clients to use Resource Credentials grant or
> client credential grant. OSIN does not support this and we (keycloak)
> have to be backward compatible.
>
> Solution:
>
> I think it would be pretty simple to add the ability to override
> authentication flows per client. I don't think this would be a
> one-off for OSIN as we could use it to implement other non-browser
> input protocols. For example, I wanted to be able to have a
> text-based auth flow for command line logins. I think this could be a
> way to implement that.
> --
> Bill Burke
> Red Hat
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list