[keycloak-dev] per-client authentication flows

Stian Thorgersen sthorger at redhat.com
Thu Jan 18 10:44:51 EST 2018

Definitively makes sense for the 'Direct Grant Flow'.

Did you also think about it for the 'Browser Flow'? That doesn't make sense
to me as I don't think the client should have any control on the SSO flow.

On 17 January 2018 at 20:37, Bill Burke <bburke at redhat.com> wrote:

> TLDR;  Per client authentication flows?  Client can be configured to
> override realm authentication flows.
> Background:
> I'm specing out how we will replace OSIN (openshift oauth server) with
> Keycloak.  One issue is that each oauth client in OSIN can specify the
> authentication flow they want.  Non-browser clients like the 'oc' cmd
> line tool want a 401, challenge-based protocol...Web console,
> obviously wants HTML.  They All OSIN clients use the OAuth
> auth-code-grant irregardless if they are non-brwoser or browser
> clients.  Keycloak assumes this oauth grant type is browser based and
> expects non-browser clients to use Resource Credentials grant or
> client credential grant.  OSIN does not support this and we (keycloak)
> have to be backward compatible.
> Solution:
> I think it would be pretty simple to add the ability to override
> authentication flows per client.  I don't think this would be a
> one-off for OSIN as we could use it to implement other non-browser
> input protocols.  For example, I wanted to be able to have a
> text-based auth flow for command line logins.  I think this could be a
> way to implement that.
> --
> Bill Burke
> Red Hat
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list