[keycloak-dev] make sending a request object mandatory for certain clients
Marek Posolda
mposolda at redhat.com
Thu Mar 8 09:25:09 EST 2018
Hi,
sorry to not respond earlier. Your usecase makes sense to me and the
code you did as well. One minor thing, which is missing, is admin
console update. I think you need to add new switch to the client details
page. Please add it to same section like "Advanced config" where are
other things like request object signature algorithm etc.
Thanks,
Marek
On 06/03/18 20:13, Aron Bustya wrote:
> Hello!
>
> Can I get some reaction to this? (The community guidelines say I need to
> ask around before sending pull requests.)
>
> Regards,
> Áron Bustya
>
> On 2 December 2017 at 04:44, Aron Bustya <aron.bustya.js at gmail.com> wrote:
>
>> Hi!
>>
>> I have a use case where the server must accept authorization requests only
>> when they contain a signed request object (should be configurable per
>> client).
>>
>> I have found a way to make the signing of the request object mandatory by
>> specifying a 'request.object.signature.alg' attribute on the client, but
>> this only applies if a request object exists in the first place.
>>
>> I would like to propose a pull request: It defines a new client attribute
>> 'request.object.required'. If this is set to 'true', the client must send a
>> request object when initiating an authorization request.
>>
>> Current code can be checked here: https://github.com/abustya/
>> keycloak/commit/476912906a3ad0d290220a1f54abee073dba687a
>>
>> What do you think?
>>
>> Regards,
>> Áron Bustya
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list