[keycloak-dev] per-client authentication flows

Bill Burke bburke at redhat.com
Mon Jan 22 10:17:51 EST 2018

On Mon, Jan 22, 2018 at 2:48 AM, Stian Thorgersen <sthorger at redhat.com> wrote:
> I missed the part about code grant flow being used regardless. Of course the
> spec doesn't even mandate the user-agent is a web browser, just says it
> typically is.
> I think acr/display (or some other query parameter) vs a different flow
> boils down to usability. Basically is it simpler to have one "dynamic" flow
> or is it simpler to just have separate flows. I think in most cases you're
> right and it will probably be cleaner and simpler to simply have different
> flows.
> Did you think about including this new flow OOTB? Is it OSIN specific or is
> it a generic non-web version of the regular web based flow?

I want to reorganize auth flows a bit so that we can catagorize them
and provide a plugin mechanism so the admin console can dynamically
show which flows can be configured (browser, direct grant, ecp,
etc..).  There's a lot to be done here, but probably just putting in
enough at the moment to get the OSIN replacement going.

> Another thing is the user-agent always controlled by the client? Or could a
> single client have different user-agents.

They don't really have that concept.  There's a client config variable
"respondWithChallenges".  When set, server responds with 401

Bill Burke
Red Hat

More information about the keycloak-dev mailing list