[keycloak-dev] per-client authentication flows
Bill Burke
bburke at redhat.com
Mon Jan 22 10:17:51 EST 2018
On Mon, Jan 22, 2018 at 2:48 AM, Stian Thorgersen <sthorger at redhat.com> wrote:
> I missed the part about code grant flow being used regardless. Of course the
> spec doesn't even mandate the user-agent is a web browser, just says it
> typically is.
>
> I think acr/display (or some other query parameter) vs a different flow
> boils down to usability. Basically is it simpler to have one "dynamic" flow
> or is it simpler to just have separate flows. I think in most cases you're
> right and it will probably be cleaner and simpler to simply have different
> flows.
>
> Did you think about including this new flow OOTB? Is it OSIN specific or is
> it a generic non-web version of the regular web based flow?
>
I want to reorganize auth flows a bit so that we can catagorize them
and provide a plugin mechanism so the admin console can dynamically
show which flows can be configured (browser, direct grant, ecp,
etc..). There's a lot to be done here, but probably just putting in
enough at the moment to get the OSIN replacement going.
> Another thing is the user-agent always controlled by the client? Or could a
> single client have different user-agents.
>
They don't really have that concept. There's a client config variable
"respondWithChallenges". When set, server responds with 401
challenges.
--
Bill Burke
Red Hat
More information about the keycloak-dev
mailing list