[keycloak-dev] Application Initiated Actions Draft #2
Stian Thorgersen
sthorger at redhat.com
Mon Apr 1 14:44:07 EDT 2019
On Mon, 1 Apr 2019, 18:54 Pedro Igor Silva, <psilva at redhat.com> wrote:
> Hi Stian,
>
> A few additional comments:
>
> * "or alternatively the application can include an id_token_hint with the
> request that proves the application does not need consent from the user"
>
> I understand that ID Tokens should be short-lived, but aren't we setting
> the exp of ID tokens with the value from access tokens? See
> org.keycloak.protocol.oidc.TokenManager.AccessTokenResponseBuilder#generateIDToken.
>
On my phone so can't look at that. ID tokens have some expiration as access
tokens surely?
> In addition to that, I don't think that using a front-channel to pass
> tokens is something we want to do given that there are a lot of
> considerations around this approach. If we are really going this way, I
> think we should at least consider some form of proof-of-possession.
>
I'm not 100% convinced about id_token_hint either, but OIDC spec already
uses id_token_hint several places. It's in the auth endpoint already (not
something we're adding) also used in logout specs. I also struggle to see
how it can be missused even if obtained.
Proof of possession is a nice idea, but not sure how that could be done
without storing additional things at the server side.
> For last, maybe you should explicitly mention the usage of TLS?
>
I do believe that is already implied? Oauth/OIDC/tokens are completely
insecure without TLS.
> Regards.
> Pedro Igor
>
> On Wed, Mar 27, 2019 at 9:43 PM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Based on feedback and also thinking about this a bit more I've now updated
>> the proposal for Application Initiated Actions.
>>
>> Please read and comment on the update draft if you're interested.
>>
>>
>> https://github.com/keycloak/keycloak-community/blob/master/design/application-initiated-actions.md
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
More information about the keycloak-dev
mailing list