[keycloak-dev] Keycloak session limiting (KEYCLOAK-849) (BA-93)

[Stian Thorgersen]

It should be a pluggable part of the authentication flow and not a
hardcoded element. There is no other way to plug in to the authentication
flow other than creating an authenticator. An authenticator doesn't need to
provide a challenge though so it can be used in this instance.

On Tue, 12 Mar 2019 at 10:57, Mauro de Wit <maurodewit at gmail.com> wrote:

> Hello,
>
> I am sending this e-mail because I have some questions regarding the
> enhancement request that enables configurable session limiting in Keycloak
> as discussed here:
> https://issues.jboss.org/browse/KEYCLOAK-849 (The developer that Marc
> Wijma
> referred to in his comment as being available for this task is me btw :))
>
> In the comments a solution is proposed that makes use of a custom
> Authenticator that is dropped into the authentication flow where it can be
> configured. While I can see the benefit of leveraging the existing
> components as much as possible (including the configuration options in that
> flow), I am wondering if this is the best solution. As far as I can tell,
> this component is not performing any authentication at all. Moreover this
> functionality operates 'above' the authentication mechanisms and should
> apply to all of them.
> So is an Authenticator really the desired place to implement this? Or is
> this just the quickest route, while not being the most desirable option for
> the long term? What would be an alternative approach be? That would place
> this implementation and configuration in the existing Session configuration
> code for instance.
>
> I just now started investigating this task and looking into the options
> that would meet our requirements. Hope to hear from you.
>
> Regards
>
> Mauro
>
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>