[keycloak-dev] Application Initiated Actions Draft #2
Pedro Igor Silva
psilva at redhat.com
Mon Apr 1 12:54:21 EDT 2019
Hi Stian,
A few additional comments:
* "or alternatively the application can include an id_token_hint with the
request that proves the application does not need consent from the user"
I understand that ID Tokens should be short-lived, but aren't we setting
the exp of ID tokens with the value from access tokens? See
org.keycloak.protocol.oidc.TokenManager.AccessTokenResponseBuilder#generateIDToken.
In addition to that, I don't think that using a front-channel to pass
tokens is something we want to do given that there are a lot of
considerations around this approach. If we are really going this way, I
think we should at least consider some form of proof-of-possession.
For last, maybe you should explicitly mention the usage of TLS?
Regards.
Pedro Igor
On Wed, Mar 27, 2019 at 9:43 PM Stian Thorgersen <sthorger at redhat.com>
wrote:
> Based on feedback and also thinking about this a bit more I've now updated
> the proposal for Application Initiated Actions.
>
> Please read and comment on the update draft if you're interested.
>
>
> https://github.com/keycloak/keycloak-community/blob/master/design/application-initiated-actions.md
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list