[keycloak-dev] per-client authentication flows

Stian Thorgersen sthorger at redhat.com
Wed Jan 24 13:41:55 EST 2018


I think using client templates makes sense as a way to introduce proper
support for scopes, but not sure about retire/replace. Isn't client
templates a useful concept to create some defaults for a client?

On 24 January 2018 at 14:33, Bill Burke <bburke at redhat.com> wrote:

> I'll add a jira...but there's some things to think about for it.  One
> of the things on my plate is Client Scope support ala oauth scopes.
> Was hoping to retire/replace client templates with client scopes and
> not sure if flow overrides fit there if a client is composed of
> multiple scopes.
>
> On Wed, Jan 24, 2018 at 6:07 AM, Marek Posolda <mposolda at redhat.com>
> wrote:
> > Bill, I've added few minor comments to your PR.
> >
> > Does it makes sense to support authentication flows per clientTemplate
> too?
> > Or is it just unnecessary complication? I wonder if it's similar to newly
> > added themeSelector and thinking if we can have fallback chain like:
> client
> > -> clientTemplate -> realm .
> >
> > Marek
> >
> >
> >
> > On 22/01/18 19:21, Stian Thorgersen wrote:
> >>
> >> On 22 January 2018 at 16:17, Bill Burke <bburke at redhat.com> wrote:
> >>
> >>> On Mon, Jan 22, 2018 at 2:48 AM, Stian Thorgersen <sthorger at redhat.com
> >
> >>> wrote:
> >>>>
> >>>> I missed the part about code grant flow being used regardless. Of
> course
> >>>
> >>> the
> >>>>
> >>>> spec doesn't even mandate the user-agent is a web browser, just says
> it
> >>>> typically is.
> >>>>
> >>>> I think acr/display (or some other query parameter) vs a different
> flow
> >>>> boils down to usability. Basically is it simpler to have one "dynamic"
> >>>
> >>> flow
> >>>>
> >>>> or is it simpler to just have separate flows. I think in most cases
> >>>
> >>> you're
> >>>>
> >>>> right and it will probably be cleaner and simpler to simply have
> >>>
> >>> different
> >>>>
> >>>> flows.
> >>>>
> >>>> Did you think about including this new flow OOTB? Is it OSIN specific
> or
> >>>
> >>> is
> >>>>
> >>>> it a generic non-web version of the regular web based flow?
> >>>>
> >>> I want to reorganize auth flows a bit so that we can catagorize them
> >>> and provide a plugin mechanism so the admin console can dynamically
> >>> show which flows can be configured (browser, direct grant, ecp,
> >>> etc..).  There's a lot to be done here, but probably just putting in
> >>> enough at the moment to get the OSIN replacement going.
> >>>
> >>>> Another thing is the user-agent always controlled by the client? Or
> >>>
> >>> could a
> >>>>
> >>>> single client have different user-agents.
> >>>>
> >>> They don't really have that concept.  There's a client config variable
> >>> "respondWithChallenges".  When set, server responds with 401
> >>> challenges.
> >>>
> >> I was also wondering if other (non OSIN) clients would want to use more
> >> than one flow, but probably not.
> >>
> >>
> >>>
> >>>
> >>>
> >>> --
> >>> Bill Burke
> >>> Red Hat
> >>>
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> >
> >
>
>
>
> --
> Bill Burke
> Red Hat
>


More information about the keycloak-dev mailing list