[keycloak-dev] make sending a request object mandatory for certain clients

Aron Bustya aron.bustya.js at gmail.com
Fri Mar 9 04:32:47 EST 2018


Hi Marek,

Thans for the reply.
In the meantime I found out that we must only accept a request object
entered directly, and not a request_uri (my first implementation handles
the two together).

But I'm afraid this makes the configuration more complicated.

I can imagine it with 3 switches:
-Accept auth. request without request object
-Accept auth. request with request object included in request param
-Accept auth. request with request object referenced with request_uri
(All of them true by default.)

Or maybe with a dropdown "Accept auth. request":
-any (default)
-with request object included in request param or referenced with
request_uri
-with request object included in request param
-with request object referenced with request_uri

Is this too much to add on the UI?
Do you have a better idea?

Thanks,
Áron


On 8 March 2018 at 17:23, Marek Posolda <mposolda at redhat.com> wrote:

> On 08/03/18 15:25, Marek Posolda wrote:
>
>> Hi,
>>
>> sorry to not respond earlier. Your usecase makes sense to me and the code
>> you did as well. One minor thing, which is missing, is admin console
>> update. I think you need to add new switch to the client details page.
>> Please add it to same section like "Advanced config" where are other things
>> like request object signature algorithm etc.
>>
> Forgot to mention, that it will be nice if you send PR once you do it :)
>
> Thanks,
> Marek
>
>
>> Thanks,
>> Marek
>>
>> On 06/03/18 20:13, Aron Bustya wrote:
>>
>>> Hello!
>>>
>>> Can I get some reaction to this? (The community guidelines say I need to
>>> ask around before sending pull requests.)
>>>
>>> Regards,
>>> Áron Bustya
>>>
>>> On 2 December 2017 at 04:44, Aron Bustya <aron.bustya.js at gmail.com>
>>> wrote:
>>>
>>> Hi!
>>>>
>>>> I have a use case where the server must accept authorization requests
>>>> only
>>>> when they contain a signed request object (should be configurable per
>>>> client).
>>>>
>>>> I have found a way to make the signing of the request object mandatory
>>>> by
>>>> specifying a 'request.object.signature.alg' attribute on the client, but
>>>> this only applies if a request object exists in the first place.
>>>>
>>>> I would like to propose a pull request: It defines a new client
>>>> attribute
>>>> 'request.object.required'. If this is set to 'true', the client must
>>>> send a
>>>> request object when initiating an authorization request.
>>>>
>>>> Current code can be checked here: https://github.com/abustya/
>>>> keycloak/commit/476912906a3ad0d290220a1f54abee073dba687a
>>>>
>>>> What do you think?
>>>>
>>>> Regards,
>>>> Áron Bustya
>>>>
>>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>>
>>
>


More information about the keycloak-dev mailing list