[keycloak-dev] Application Initiated Actions

Marek Posolda mposolda at redhat.com
Tue Mar 26 04:20:23 EDT 2019


On 26/03/2019 08:45, Stian Thorgersen wrote:
>
>
> On Fri, 22 Mar 2019 at 15:12, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     On 22/03/2019 12:42, Stian Thorgersen wrote:
>>
>>
>>     On Fri, 22 Mar 2019 at 12:07, Marek Posolda <mposolda at redhat.com
>>     <mailto:mposolda at redhat.com>> wrote:
>>
>>         I am sorry to join this so late.
>>
>>         My concern is, that in the design, it was mentioned that
>>         consent will be
>>         always required from the user. I understand that this
>>         simplifies the
>>         flow as it's more secure and not need to authenticate the
>>         client.
>>         However from the usability perspective, it doesn't look so
>>         nice to me.
>>
>>         For example assume that in the application, the user just
>>         clicked on the
>>         button "Link my account with Facebook" . Then after login
>>         with Facebook,
>>         he will see another splash screen like "Application XY wants
>>         to link
>>         your account with Facebook", which he needs to confirm. It
>>         may be
>>         especially bad for usability in this case with linking social
>>         accounts,
>>         as user may see one splash screen shown by Facebook "Application
>>         keycloak wants to access your Facebook profile and email" and
>>         then
>>         immediately another splash screen shown by Keycloak
>>         "Application Foo
>>         wants to link your account with Facebook" .
>>
>>         Maybe I am wrong, but my guess is, that our users will very
>>         quickly come
>>         with requirement "Can I ommit to show the splash screen?" .
>>         It is bit
>>         similar to the "Consent Required" switch, which I guess most
>>         people have
>>         OFF for their clients. So IMO I would rather count with this
>>         from the
>>         beginning and count with the fact, that we will need to ommit
>>         consent
>>         screen and hence verify client.
>>
>>         With regards to this, It seems that we may need also to
>>         specify if
>>         client is:
>>         - Allowed to initiate action
>>         - Allowed to initate action with the consent required
>>         - Allowed to initate action with no-consent required
>>         Maybe the "Consent required" switch can be on instead on the
>>         action
>>         itself, but the will still need to restrict if client is
>>         allowed or not
>>         to perform the action.
>>
>>
>>     I can see your point for linking to external IdP.
>>
>>     However, for everything else the actions are requesting a user to
>>     enter information before something happens. I.e. registering
>>     WebAuthn device, update password, etc.. All require the user to
>>     first fill in the form.
>     I see. But if we can think about at least of one "type" of the
>     action, which may not show any special page, there are probably
>     others :)
>>
>>         With regards to the flow, I suggest that KC will require full
>>         OIDC/OAuth2 flow. In other words, when KC redirects back to
>>         the client,
>>         the client will be required to send code-to-token request.
>>         And the
>>         action (EG. Keycloak user linked with Facebook) is done
>>         *after* the
>>         whole flow (including code-to-token flow) is finished. That
>>         should be
>>         sufficient to verify the client and at the same time, it will
>>         allow us
>>         to add some more things to tokens (EG. some facebook details)
>>         . Downside
>>         is, that it will be harder to implement though as the SPI
>>         will likely
>>         need another callback after code-to-token flow to "finish"
>>         the action...
>>
>>
>>     I don't think I understand, because if you are proposing what I'm
>>     thinking it sounds awkward. Can you list the flow?
>
>     It is pretty much OIDC flow. So:
>
>     - The initial request with "kc_action=link-facebook" is sent to
>     OIDC authentication endpoint
>     - KC (re-)authenticates user and do all the UI actions required
>     for the requested action
>     - Before the model is updated (EG.
>     userModel.addFederationLink("facebook") called), there is
>     redirection to client with code+state etc
>     - Client needs to send code-to-token request.
>     - KC will need to verify code (already done), finally finish the
>     model (EG. call "user.addFederationLink" or
>     "user.setEmailVerified(true)" ). That's where I think the SPI
>     callback will be needed. Finally re-generate tokens and verify
>     back to the application.
>     - Client receives updated tokens with all the new state (EG.
>     "email_verified" is set to true, user's birthday claim retrieved
>     from facebook is in the token etc.)
>
>     This has some good advantages like the:
>
>     - Client is verified. In case of confidential clients, there is
>     proper client authentication. For public clients, there is at
>     least redirection back to the client application and exchanging
>     for tokens, which is still bit safer than just update model on
>     server (EG. userModel.addFederationLink) and redirect to client
>     after. However for public clients, people will more likely want to
>     show the splash screen "Application XY wants to link your account"
>
>     - Tokens are updated at the end of the flow. This is important for
>     many applications though as in many cases, people will likely
>     trigger actions under some conditions. For example in the
>     application will do something like:
>
>     if (!idToken.isEmailVerified()) {
>         redirectToVerifyEmailAction();
>
>     }
>
>     So without updated tokens, you will have infinite loop or the need
>     to re-trigger to OIDC flow manually again to have tokens refreshed
>     with new claims
>
> I really hate that idea ;)
>
> * You don't know the client until after the user has entered the 
> values - so invalid client would still require user to do the work, 
> but just silently revert it

If you think about this, this is the general "issue" for the OIDC flow. 
In OIDC, the client authentication is not done at the beginning of the 
flow, but at the end (code-to-token request).

In other words, if malicious client knows the clientId and redirectUri 
of some good client, nothing prevents him to start the OIDC login flow 
by construct the OIDC initial URI: 
client_id=good_client&redirect_uri=http://good.client.host&... and hence 
all the login screens will be shown to the user. But important is, that 
malicious client won't be able to finish the flow as at the end, it will 
be redirection to the redirect_uri of good client and there is client 
authentication. So malicious client don't have a way to "steal" tokens, 
which makes the attack impractical. And I think same will apply to this 
flow I propose for the Application Initiated Actions.

> * Requires special actions that somehow caches all updates
You mean that actions will need to have the state, which will be saved 
before the redirection to the client and then need to be loaded during 
the code-to-token request? I think that state is needed anyway for most 
of the actions, which are multi-screen. I don't see this as big issue.
> * May be very hard to do for some actions

Not sure I follow? I think that what I propose is almost the same as the 
flow you proposed, with the only exception, that client will be required 
to do the "code-to-token" request similarly like during OIDC flow. So 
the only added thing, will be to maintain the state.

Marek

>
> I could go on
>
>>
>>         Last thing, I was thinking about using "scope" parameter to
>>         reference
>>         those actions instead of have proprietary "kc_action" thing.
>>         The we
>>         don't need any extensions of OIDC. It may simplify things
>>         like consents
>>         etc. Also client will be able to have something similar like
>>         we have in
>>         "Client Scopes" tab - the list of action, which he is allowed to
>>         initiate. But I am not sure about this last point and maybe
>>         it's better
>>         to keep things separated...
>>
>>
>>     I'm not convinced using scope param makes sense. It just doesn't
>>     fit in my mental model.
>
>     I see. I am also not convinced so much about scope param... Just
>     some quick idea :)
>
>     Marek
>
>>
>>         Marek
>>
>>
>>
>>
>>         On 21/03/2019 14:07, Pedro Igor Silva wrote:
>>         > Sure, I'm not against the initial design/scope. Just tried
>>         to make comments
>>         > about other aspects that, to me, are related or how it can
>>         be leveraged to
>>         > also achieve other things.
>>         >
>>         > So, what Stian plans mentioned in one of his replies is
>>         fine for me.
>>         >
>>         > On Thu, Mar 21, 2019 at 9:47 AM Stan Silvert
>>         <ssilvert at redhat.com <mailto:ssilvert at redhat.com>> wrote:
>>         >
>>         >> Pedro,
>>         >>
>>         >> My only concern is getting this nailed down so we can move
>>         forward with
>>         >> the new account console.
>>         >>
>>         >> It sounds like Stian's proposal is simpler, but covers
>>         fewer use cases.
>>         >> Is that correct?
>>         >>
>>         >> Would it be practical to implement Stian's plan and then
>>         implement your
>>         >> proposal at a later date?
>>         >>
>>         >> On 3/21/2019 8:05 AM, Pedro Igor Silva wrote:
>>         >>> In addition to everything you said.
>>         >>>
>>         >>> * It is not only about making changes to account, but
>>         updating tokens
>>         >> with
>>         >>> information from required actions, which not necessarily
>>         need to be
>>         >>> persisted.
>>         >>>
>>         >>> * For back-end applications, we could also associate
>>         these required
>>         >> actions
>>         >>> with scopes. If we could have a required action as
>>         "Re-authenticate" or
>>         >>> "Provide 2nd factor", that would also help with step-up
>>         authentication.
>>         >> As
>>         >>> an alternative to OIDC acr related parameters/claims. I
>>         don't think it
>>         >>> makes sense to bring to the client concerns that are
>>         really tied to the
>>         >>> scopes of a resource server. As I said, clients should
>>         ask for scopes and
>>         >>> Keycloak should do whatever is necessary to grant these
>>         (via consent, via
>>         >>> additional steps/actions). Consider what you mentioned at
>>         the end of your
>>         >>> design document at "Require Re-Authentication". Couldn't
>>         we leverage AIA
>>         >>> for step-up and ask the user for a more stronger credential ?
>>         >>>
>>         >>> * Claims gathering flow is simple. The Keycloak server
>>         would return the
>>         >>> endpoint to where the client should redirect the user.
>>         After obtaining
>>         >>> information from the user, Keycloak would issue a ticket
>>         (instead of
>>         >> code).
>>         >>> The endpoint returned by Keycloak would contain the
>>         action associated
>>         >> with
>>         >>> a resource. The endpoint could be the same as what you
>>         are using for AIA.
>>         >>>
>>         >>>
>>         >>>
>>         >>>
>>         >>>
>>         >>> On Thu, Mar 21, 2019 at 4:13 AM Stian Thorgersen
>>         <sthorger at redhat.com <mailto:sthorger at redhat.com>>
>>         >>> wrote:
>>         >>>
>>         >>>> Pedro,
>>         >>>>
>>         >>>> I really don't understand what your points are and what
>>         you propose we
>>         >> do
>>         >>>> here.
>>         >>>>
>>         >>>> The use-case we're addressing is the following:
>>         >>>>
>>         >>>> As a user I would like to initiate an action associated
>>         with my account
>>         >>>> through a front-end application so that I can make
>>         changes to my
>>         >> account,
>>         >>>> for example to register a WebAuthn security key with my
>>         account.
>>         >>>>
>>         >>>> Further, we want an action to be implemented once and
>>         re-usable in
>>         >>>> login/registration flows as well as from applications
>>         managing user
>>         >>>> accounts, incuding our new account console. That means
>>         our new account
>>         >>>> console needs to be able to invoke an action in the
>>         login flow,
>>         >> otherwise
>>         >>>> we would have to implement actions as react/rest also.
>>         >>>>
>>         >>>> Now the solution I have proposed is simple. It allows an
>>         application to
>>         >>>> request an action being invoked after the user has
>>         authenticated. Think
>>         >> of
>>         >>>> it as a "required action" on-demand. It can be
>>         implemented with a few
>>         >> lines
>>         >>>> of code and easily tested. It is very easy to use as it
>>         just means
>>         >> adding
>>         >>>> an extra query param to the login flows, which makes it
>>         very easy to use
>>         >>>> both for confidential and non-confidential clients.
>>         >>>>
>>         >>>> It is not trying to cover claims gathering use-case from
>>         UMA. I see no
>>         >>>> connection to this and step-up authentication. These
>>         both already have
>>         >>>> clearly defined protocols. Neither can be used to
>>         address the above
>>         >>>> use-case.
>>         >>>>
>>         >>>> So please come with a concrete proposal as I have no
>>         clue what your
>>         >>>> objections are.
>>         >>>>
>>         >>>> On Wed, 20 Mar 2019 at 19:37, Pedro Igor Silva
>>         <psilva at redhat.com <mailto:psilva at redhat.com>>
>>         >> wrote:
>>         >>>>> On Wed, Mar 20, 2019 at 1:33 PM Stian Thorgersen
>>         <sthorger at redhat.com <mailto:sthorger at redhat.com>>
>>         >>>>> wrote:
>>         >>>>>
>>         >>>>>> On Wed, 20 Mar 2019 at 17:19, Pedro Igor Silva
>>         <psilva at redhat.com <mailto:psilva at redhat.com>>
>>         >>>>>> wrote:
>>         >>>>>>
>>         >>>>>>> On Wed, Mar 20, 2019 at 12:28 PM Stian Thorgersen <
>>         >> sthorger at redhat.com <mailto:sthorger at redhat.com>>
>>         >>>>>>> wrote:
>>         >>>>>>>
>>         >>>>>>>> On Wed, 20 Mar 2019 at 16:02, Pedro Igor Silva
>>         <psilva at redhat.com <mailto:psilva at redhat.com>>
>>         >>>>>>>> wrote:
>>         >>>>>>>>
>>         >>>>>>>>> On Fri, Mar 8, 2019 at 4:17 AM Stian Thorgersen <
>>         >> sthorger at redhat.com <mailto:sthorger at redhat.com>>
>>         >>>>>>>>> wrote:
>>         >>>>>>>>>
>>         >>>>>>>>>> On Thu, 7 Mar 2019 at 19:09, Pedro Igor Silva
>>         <psilva at redhat.com <mailto:psilva at redhat.com>>
>>         >>>>>>>>>> wrote:
>>         >>>>>>>>>>
>>         >>>>>>>>>>> On Thu, Mar 7, 2019 at 12:33 PM Stian Thorgersen <
>>         >>>>>>>>>>> sthorger at redhat.com <mailto:sthorger at redhat.com>>
>>         wrote:
>>         >>>>>>>>>>>
>>         >>>>>>>>>>>> Is it this stuff you're thinking about:
>>         >>>>>>>>>>>>
>>         >>>>>>>>>>>>
>>         >>
>>         https://docs.kantarainitiative.org/uma/wg/uma-core-2.0-20.html#claim-redirect
>>         >>>>>>>>>>>>  From that it does a get including the ticket as
>>         a query
>>         >> parameter.
>>         >>>>>>>>>>>> I don't like the idea of sending tickets as
>>         query params as
>>         >> they could be
>>         >>>>>>>>>>>> logged. For the application initiated action it
>>         would have to
>>         >> be an ID
>>         >>>>>>>>>>>> token sent as the ticket. Or as I mentioned
>>         before perhaps we
>>         >> have a way of
>>         >>>>>>>>>>>> creating a ticket that can only be used to
>>         initiate an action.
>>         >>>>>>>>>>>>
>>         >>>>>>>>>>> Why you need to send the id token if the client
>>         already got an id
>>         >>>>>>>>>>> token and, considering browser flow, there is a
>>         cookie that can
>>         >> be used by
>>         >>>>>>>>>>> Keycloak to identify the client/user ?
>>         >>>>>>>>>>>
>>         >>>>>>>>>> Cookie doesn't authenticate the client, only the user.
>>         >>>>>>>>>>
>>         >>>>>>>>> But the identity cookie has the user session and
>>         from it we can
>>         >> check
>>         >>>>>>>>> whether or not the client initiating the action
>>         (client_id) has a
>>         >>>>>>>>> authenticated client session, no ?
>>         >>>>>>>>>
>>         >>>>>>>> That only proves that the client_id belongs to a
>>         client that has
>>         >>>>>>>> obtained a token. It doesn't authenticate the client
>>         in any way.
>>         >>>>>>>>
>>         >>>>>>>> Q- Why is authentication of the client required? IMO
>>         it is not
>>         >>>>>>>> required.
>>         >>>>>>>>
>>         >>>>>>> Sure, but the client obtained token and is
>>         authenticated, thus acting
>>         >>>>>>> on behalf of the user. If the client is already
>>         acting on behalf of
>>         >> a user,
>>         >>>>>>> we don't need to authenticate it.
>>         >>>>>>>
>>         >>>>>> That's not correct. All we know is that a client with
>>         the same
>>         >> client_id
>>         >>>>>> has obtained a token. Anyone can use the same
>>         client_id to initiate an
>>         >>>>>> action.
>>         >>>>>>
>>         >>>>>>
>>         >>>>>>>>>>>> Perhaps what we could do is:
>>         >>>>>>>>>>>>
>>         >>>>>>>>>>>> 1. By default any application can initiate an action
>>         >>>>>>>>>>>> 1.1. To initiate an action there's no need for a
>>         ticket of any
>>         >>>>>>>>>>>> sort, just a regular oauth flow
>>         >>>>>>>>>>>> 2. Later add support if demand to limit what
>>         applications can
>>         >>>>>>>>>>>> initiate actions
>>         >>>>>>>>>>>> 2.1 Same as before if the action being initiated
>>         is open for
>>         >>>>>>>>>>>> everyone then no need for a ticket
>>         >>>>>>>>>>>> 2.2 If the action being initiated is only
>>         permitted by some
>>         >>>>>>>>>>>> applications we would need some form of
>>         authentication.
>>         >>>>>>>>>>>>
>>         >>>>>>>>>>>> For 2.2 I have 3 suggestions in mind:
>>         >>>>>>>>>>>>
>>         >>>>>>>>>>>> a. Just include id_token as a ticket query param
>>         like  UMA claim
>>         >>>>>>>>>>>> redirect does
>>         >>>>>>>>>>>> b. Add support to obtain an initiate action
>>         ticket from a
>>         >> endpoint
>>         >>>>>>>>>>>> using an id token as bearer token
>>         >>>>>>>>>>>> c. Add a note into client session with a
>>         initiate action ticket
>>         >>>>>>>>>>>> for clients that can initiate actions and map
>>         this into the id
>>         >> token.
>>         >>>>>>>>>>> Not sure ...
>>         >>>>>>>>>>>
>>         >>>>>>>>>>> If you think about it, the part interested in
>>         obtaining the
>>         >> claims
>>         >>>>>>>>>>> after an action is completed is not the client
>>         but the audience
>>         >> of the
>>         >>>>>>>>>>> token, the resource server. In this case, the UMA
>>         approach seems
>>         >> more
>>         >>>>>>>>>>> appropriate because the resource server is in
>>         control about what
>>         >> actions
>>         >>>>>>>>>>> the client should initiate in order to fulfill
>>         the constraints
>>         >> imposed by
>>         >>>>>>>>>>> the resource server to access its protected
>>         resources. Where
>>         >> these
>>         >>>>>>>>>>> constraints could be a DOB in the token or a
>>         higher security
>>         >> level.
>>         >>>>>>>>>>> The app initiating actions in the server is not
>>         the goal, but the
>>         >>>>>>>>>>> tool to obtain additional claims from the server ...
>>         >>>>>>>>>>>
>>         >>>>>>>>>>> However, for some applications acting as both
>>         client and resource
>>         >>>>>>>>>>> server (e.g.: a monolithic jee) can avoid all the
>>         ticket dance
>>         >> and just
>>         >>>>>>>>>>> redirect the user to the server as you pointed
>>         out in 1.
>>         >>>>>>>>>>>
>>         >>>>>>>>>> Perhaps there's a case for that, but that would be
>>         claims
>>         >> gathering,
>>         >>>>>>>>>> not application initiated actions.
>>         >>>>>>>>>>
>>         >>>>>>>>>> Application initiated actions are more a tool for
>>         folks to add
>>         >>>>>>>>>> actions for the user account into their own GUIs,
>>         and as such
>>         >> should be a
>>         >>>>>>>>>> simple protocol. OAuth incremental scopes for
>>         example doesn't
>>         >> have any
>>         >>>>>>>>>> flows between app and service, but rather just
>>         allows the app to
>>         >> get the
>>         >>>>>>>>>> scopes it out of bounds knows it needs for
>>         specific actions.
>>         >>>>>>>>>>
>>         >>>>>>>>> I think claims gathering and AIA are pretty much
>>         the same thing.
>>         >> Both
>>         >>>>>>>>> are querying the user for additional information.
>>         Despite if you
>>         >> are
>>         >>>>>>>>> initiating an action to request user's DOB or
>>         update a password,
>>         >> they are
>>         >>>>>>>>> steps that the user must perform in order to enrich
>>         its security
>>         >> context
>>         >>>>>>>>> and be able to continue using both client and
>>         resource server.
>>         >>>>>>>>>
>>         >>>>>>>>> The point I'm trying to make is that AIA can solve
>>         other problems
>>         >>>>>>>>> too. You would still solve the original problem
>>         from your design
>>         >> document
>>         >>>>>>>>> as defined in the motivation section. While you
>>         would also help
>>         >> with
>>         >>>>>>>>> step-up authentication and UMA claims gathering.
>>         Another point is
>>         >> related
>>         >>>>>>>>> to the party interested in the action. Is it the
>>         client or the
>>         >> resource
>>         >>>>>>>>> server (the API)?
>>         >>>>>>>>>
>>         >>>>>>>>> If the client (which honestly I don't see much use
>>         as most apps
>>         >> seem
>>         >>>>>>>>> to be a combination of front-end + back-end, where the
>>         >> functionality is
>>         >>>>>>>>> provided by the back-end and protected by a bearer
>>         token) then you
>>         >> may just
>>         >>>>>>>>> consider passing the "kc_action" parameter and have
>>         the action
>>         >> initiated.
>>         >>>>>>>>> If the resource server, you could associate the
>>         required actions
>>         >> with
>>         >>>>>>>>> the scopes. So when a client requests a specific
>>         scope, Keycloak
>>         >> will start
>>         >>>>>>>>> the action(s) and query the user for some
>>         information prior to
>>         >> issuing the
>>         >>>>>>>>> access token.
>>         >>>>>>>>>
>>         >>>>>>>>> Still, if the resource server, the resource server
>>         could respond to
>>         >>>>>>>>> the client (e.g: UMA flow) indicating that it needs
>>         more info,
>>         >> then the
>>         >>>>>>>>> client will just redirect the user to the location
>>         provided in the
>>         >> response
>>         >>>>>>>>> to initiate the actions.
>>         >>>>>>>>>
>>         >>>>>>>> I don't understand what your point is or what you
>>         are proposing
>>         >> here.
>>         >>>>>>> And I do understand your point of view. I just think
>>         that it can do
>>         >>>>>>> much more than address new account management console
>>         requirements.
>>         >>>>>>>
>>         >>>>>>> Based on your design document, I understand what you
>>         described in the
>>         >>>>>>> Motivation section. But again, instead of considering
>>         the "two
>>         >> things" that
>>         >>>>>>> originated the idea behind AIA, I think we can take
>>         the opportunity
>>         >> and do
>>         >>>>>>> much more. As they seem related to me. Especially
>>         after your DOB
>>         >> example.
>>         >>>>>> I don't see the additional use-cases you are
>>         mentioning as related at
>>         >>>>>> all.
>>         >>>>>>
>>         >>>>> How it is not related ? The audience of the information
>>         gathered during
>>         >>>>> the AIA does impact where the token with the
>>         information will be used.
>>         >> If I
>>         >>>>> need a DOB to access some page in my front-end, this is
>>         one thing. If I
>>         >>>>> need DOB to access some resource protected by a
>>         resource server it is
>>         >>>>> another thing. Both require tokens with different
>>         audiences, the former
>>         >>>>> will probably be an ID Token where the latter the
>>         access token.
>>         >>>>>
>>         >>>>> In OAuth2 the scopes represent the permissions to
>>         access protected
>>         >>>>> resources. Thus, it does make sense to have required
>>         actions that can
>>         >>>>> challenge a user when requesting scopes. Considering
>>         your DOB example,
>>         >> if
>>         >>>>> my client wants to access resource /api/age/check why
>>         you want the
>>         >> client
>>         >>>>> to request kc_action=dob if the scope "dob" is what he
>>         needs to access
>>         >> the
>>         >>>>> API ? Otherwise, you are making the client aware of
>>         things that are
>>         >> really
>>         >>>>> related to the resource server. It is OK the client ask
>>         for scope
>>         >> "age", it
>>         >>>>> is how OAuth2 authorization model works.
>>         >>>>>
>>         >>>>> UMA leverages OAuth2 in a way that the permission
>>         ticket makes the
>>         >> client
>>         >>>>> really dumb about what it needs to access protected
>>         resources. With
>>         >> UMA,
>>         >>>>> the client will just receive a ticket and with that
>>         ticket it can
>>         >> perform
>>         >>>>> the necessary actions to make a successful
>>         authorization request to the
>>         >>>>> server.
>>         >>>>>
>>         >>>>>
>>         >>>>>> * Step-up authentication has already clear parameters
>>         in OIDC/OAuth to
>>         >>>>>> request high level of authentication. On the
>>         implementation side it's
>>         >> about
>>         >>>>>> invoking additional parts of the authentication flow,
>>         not to initiate
>>         >> an
>>         >>>>>> required action that has nothing to do with the
>>         authentication flow.
>>         >>>>>>
>>         >>>>> Can we consider a required action as a prompt for 2nd
>>         factor, for
>>         >>>>> instance ?
>>         >>>>>
>>         >>>>>
>>         >>>>>> * Claims gathering in UMA is about asking the user for
>>         additional
>>         >>>>>> claims. AIA can be used as a poor-mans workaround to
>>         lack of claims
>>         >>>>>> gathering, but end of the day it's completely
>>         different. AIA will
>>         >> allow an
>>         >>>>>> app to invoke the action update_DOB, while claims
>>         gaterhing will
>>         >> allow the
>>         >>>>>> application to request the claim DOB.
>>         >>>>>>
>>         >>>>> Not sure, if the difference is due to updating a piece
>>         of info, both
>>         >>>>> flows request the user for the info. Is just a matter
>>         of updating or
>>         >> not
>>         >>>>> updating the info.
>>         >>>>>
>>         >>>>>
>>         >>>>>> I don't see what additional things we need to consider
>>         for something
>>         >>>>>> that is in the end very simple and can be implemented
>>         in a couple
>>         >> hours
>>         >>>>>> including tests if we don't try to make it more
>>         complicated.
>>         >>>>>>
>>         >>>>>>
>>         >>>>>>>>>>>> On Thu, 7 Mar 2019 at 16:19, Stian Thorgersen <
>>         >> sthorger at redhat.com <mailto:sthorger at redhat.com>>
>>         >>>>>>>>>>>> wrote:
>>         >>>>>>>>>>>>
>>         >>>>>>>>>>>>> On Thu, 7 Mar 2019 at 13:39, Pedro Igor Silva <
>>         >> psilva at redhat.com <mailto:psilva at redhat.com>>
>>         >>>>>>>>>>>>> wrote:
>>         >>>>>>>>>>>>>
>>         >>>>>>>>>>>>>> On Wed, Mar 6, 2019 at 3:45 PM Stian Thorgersen <
>>         >>>>>>>>>>>>>> sthorger at redhat.com
>>         <mailto:sthorger at redhat.com>> wrote:
>>         >>>>>>>>>>>>>>
>>         >>>>>>>>>>>>>>> On Wed, 6 Mar 2019 at 17:39, Pedro Igor Silva <
>>         >>>>>>>>>>>>>>> psilva at redhat.com <mailto:psilva at redhat.com>>
>>         wrote:
>>         >>>>>>>>>>>>>>>
>>         >>>>>>>>>>>>>>>> On Wed, Mar 6, 2019 at 1:30 PM Stian
>>         Thorgersen <
>>         >>>>>>>>>>>>>>>> sthorger at redhat.com
>>         <mailto:sthorger at redhat.com>> wrote:
>>         >>>>>>>>>>>>>>>>
>>         >>>>>>>>>>>>>>>>> Why do you think
>>         authentication/authorization is required?
>>         >>>>>>>>>>>>>>>>> The user will be prompted before making an
>>         action and it's
>>         >> an action they
>>         >>>>>>>>>>>>>>>>> do against RH-SSO and not automatically
>>         visible/exposed to
>>         >> the client.
>>         >>>>>>>>>>>>>>>> The client is making the request and even
>>         though the user is
>>         >>>>>>>>>>>>>>>> at the Keycloak server to perform the
>>         action, admins may
>>         >> want to restrict
>>         >>>>>>>>>>>>>>>> which clients are allowed to perform such
>>         actions. That is
>>         >> what I mean by
>>         >>>>>>>>>>>>>>>> some level of authorization.
>>         >>>>>>>>>>>>>>>>
>>         >>>>>>>>>>>>>>>> You could even consider not authenticating
>>         the client at
>>         >> all,
>>         >>>>>>>>>>>>>>>> but still allow admins to enforce which
>>         clients should be
>>         >> allowed to
>>         >>>>>>>>>>>>>>>> initiate actions on the server.
>>         >>>>>>>>>>>>>>>>
>>         >>>>>>>>>>>>>>> I can't see how enforcing which clients is
>>         allowed to
>>         >> initiate
>>         >>>>>>>>>>>>>>> actions will work without authenticating the
>>         client.
>>         >>>>>>>>>>>>>>>
>>         >>>>>>>>>>>>>> Maybe the word authenticate seems too much to
>>         what we are
>>         >>>>>>>>>>>>>> discussing. This is more a validation of the
>>         client making
>>         >> the request.
>>         >>>>>>>>>>>>>> Considering that, I'm saying that you could
>>         just rely on
>>         >> client_id and
>>         >>>>>>>>>>>>>> redirect uris (the client is already
>>         authenticated and if
>>         >> doing browser
>>         >>>>>>>>>>>>>> authentication the cookie is already present)
>>         and possibly
>>         >> add some level
>>         >>>>>>>>>>>>>> of authorization to enforce which clients can
>>         perform actions
>>         >> (instead of
>>         >>>>>>>>>>>>>> just relying on the authenticated session).
>>         Redirect uris are
>>         >> really
>>         >>>>>>>>>>>>>> important because you want to make sure the
>>         redirect uri is
>>         >> valid before
>>         >>>>>>>>>>>>>> redirecting the user.
>>         >>>>>>>>>>>>>>
>>         >>>>>>>>>>>>> The plan is to use the auth endpoint, so
>>         client_id and
>>         >>>>>>>>>>>>> redirect_uris are already being checked. It's
>>         just a standard
>>         >> OAuth flow.
>>         >>>>>>>>>>>>> IMO that's fine as long as there's no need to
>>         limit what
>>         >> clients
>>         >>>>>>>>>>>>> can initiate actions. If that's needed then we
>>         need something
>>         >> more
>>         >>>>>>>>>>>>> complicated that properly authenticates the
>>         client, as anyone
>>         >> could just
>>         >>>>>>>>>>>>> use the client_id and redirect_uri from a different
>>         >> application to get the
>>         >>>>>>>>>>>>> action initiated (although wouldn't then have
>>         the user
>>         >> redirected back to
>>         >>>>>>>>>>>>> the app of course).
>>         >>>>>>>>>>>>>
>>         >>>>>>>>>>>>>
>>         >>>>>>>>>>>>>>>>> On Wed, 6 Mar 2019 at 14:31, Pedro Igor Silva <
>>         >>>>>>>>>>>>>>>>> psilva at redhat.com
>>         <mailto:psilva at redhat.com>> wrote:
>>         >>>>>>>>>>>>>>>>>
>>         >>>>>>>>>>>>>>>>>> One way is to follow authorization code
>>         constraints like
>>         >>>>>>>>>>>>>>>>>> checking the client_id and redirect_uri
>>         (assuming the
>>         >> user will be
>>         >>>>>>>>>>>>>>>>>> redirected back after the action
>>         completes). But still,
>>         >> we could also add
>>         >>>>>>>>>>>>>>>>>> some level authorization.
>>         >>>>>>>>>>>>>>>>>>
>>         >>>>>>>>>>>>>>>>> authorization code constraints doesn't work
>>         as anyone can
>>         >>>>>>>>>>>>>>>>> just use the client_id and redirect_uri
>>         from a different
>>         >> client.
>>         >>>>>>>>>>>>>>>> I may be missing the whole flow. I would ask
>>         then what
>>         >> happens
>>         >>>>>>>>>>>>>>>> after the user performs an action. Is he/her
>>         redirected
>>         >> back to the client
>>         >>>>>>>>>>>>>>>> ? If so, client_id + redirect_uri do work to
>>         make sure that
>>         >> the client is
>>         >>>>>>>>>>>>>>>> known and that the user will be redirected
>>         back to a valid
>>         >> URI.
>>         >>>>>>>>>>>>>>> It's just a standard OAuth flow, so app would
>>         get new tokens.
>>         >>>>>>>>>>>>>>> Say the user hasn't entered a DOB in the
>>         profile and the
>>         >> client wants that,
>>         >>>>>>>>>>>>>>> then they can request the user to enter a
>>         DOB, which would
>>         >> then result in
>>         >>>>>>>>>>>>>>> the DOB being available in the token.
>>         >>>>>>>>>>>>>>>
>>         >>>>>>>>>>>>>> This flow seems very closely related with the
>>         Claims Gathering
>>         >>>>>>>>>>>>>> Flow from UMA specs. We could probably review
>>         what is there
>>         >> and see if it
>>         >>>>>>>>>>>>>> can help to solve this problem of app
>>         initiated actions.
>>         >>>>>>>>>>>>>>
>>         >>>>>>>>>>>>> Go for it ;)
>>         >>>>>>>>>>>>>
>>         >>>>>>>>>>>>>
>>         >>>>>>>>>>>>>>>>> Only viable option I can think of is to add
>>         an endpoint
>>         >> where
>>         >>>>>>>>>>>>>>>>> the application can request a token to
>>         initate an action.
>>         >> So flow would be:
>>         >>>>>>>>>>>>>>>>> 1. App sends POST { action: <action-id> }
>>         with ID Token as
>>         >>>>>>>>>>>>>>>>> bearer token in header to a new endpoint.
>>         This would
>>         >> return a single use
>>         >>>>>>>>>>>>>>>>> token.
>>         >>>>>>>>>>>>>>>>> 2. App can now do the redirect protocol as
>>         before, but
>>         >>>>>>>>>>>>>>>>> instead of "?action=<action>" they would do
>>         >> "?action-token=<action token>"
>>         >>>>>>>>>>>>>>>>> In the JS adapter we can add a
>>         action(actionId) function
>>         >> that
>>         >>>>>>>>>>>>>>>>> would get the action token before
>>         redirecting the user.
>>         >>>>>>>>>>>>>>>>>
>>         >>>>>>>>>>>>>>>>> Not sure what you mean about level
>>         authorization.
>>         >>>>>>>>>>>>>>>>>
>>         >>>>>>>>>>>>>>>>>
>>         >>>>>>>>>>>>>>>>>> On Wed, Mar 6, 2019 at 10:25 AM Stian
>>         Thorgersen <
>>         >>>>>>>>>>>>>>>>>> sthorger at redhat.com
>>         <mailto:sthorger at redhat.com>> wrote:
>>         >>>>>>>>>>>>>>>>>>
>>         >>>>>>>>>>>>>>>>>>> The issue is more around how to
>>         authenticate clients and
>>         >>>>>>>>>>>>>>>>>>> also the fact that clients wanting to
>>         initiate actions
>>         >> may be public
>>         >>>>>>>>>>>>>>>>>>> clients. We also don't want to invent a
>>         new protocol for
>>         >> this, but rather
>>         >>>>>>>>>>>>>>>>>>> just rely on the OIDC flows.
>>         >>>>>>>>>>>>>>>>>>>
>>         >>>>>>>>>>>>>>>>>>> So with those constraints how would you
>>         authenticate the
>>         >>>>>>>>>>>>>>>>>>> client?
>>         >>>>>>>>>>>>>>>>>>>
>>         >>>>>>>>>>>>>>>>>>> On Wed, 6 Mar 2019 at 14:23, Pedro Igor
>>         Silva <
>>         >>>>>>>>>>>>>>>>>>> psilva at redhat.com
>>         <mailto:psilva at redhat.com>> wrote:
>>         >>>>>>>>>>>>>>>>>>>
>>         >>>>>>>>>>>>>>>>>>>> IMO, we should have some level of
>>         authorization for
>>         >>>>>>>>>>>>>>>>>>>> clients initiating an action. This could
>>         be as simple
>>         >> as leveraging authz
>>         >>>>>>>>>>>>>>>>>>>> in order to define white/black lists of
>>         clients.
>>         >> Similar to what a KC
>>         >>>>>>>>>>>>>>>>>>>> extension does in regards to authentication.
>>         >>>>>>>>>>>>>>>>>>>>
>>         >>>>>>>>>>>>>>>>>>>> On Tue, Mar 5, 2019 at 3:15 PM Stian
>>         Thorgersen <
>>         >>>>>>>>>>>>>>>>>>>> sthorger at redhat.com
>>         <mailto:sthorger at redhat.com>> wrote:
>>         >>>>>>>>>>>>>>>>>>>>
>>         >>>>>>>>>>>>>>>>>>>>> Was hoping for some more feedback from
>>         the list on this
>>         >>>>>>>>>>>>>>>>>>>>> one.
>>         >>>>>>>>>>>>>>>>>>>>>
>>         >>>>>>>>>>>>>>>>>>>>> Especially around not having any
>>         authentication of the
>>         >>>>>>>>>>>>>>>>>>>>> clients wanting to
>>         >>>>>>>>>>>>>>>>>>>>> initiate an action. I feel reasonable
>>         comfortable about
>>         >>>>>>>>>>>>>>>>>>>>> not securing it and
>>         >>>>>>>>>>>>>>>>>>>>> requiring actions to prompt the user
>>         before doing
>>         >>>>>>>>>>>>>>>>>>>>> anything, but welcome
>>         >>>>>>>>>>>>>>>>>>>>> others opinion on it.
>>         >>>>>>>>>>>>>>>>>>>>>
>>         >>>>>>>>>>>>>>>>>>>>> On Thu, 28 Feb 2019 at 11:07, Peter
>>         Skopek <
>>         >>>>>>>>>>>>>>>>>>>>> pskopek at redhat.com
>>         <mailto:pskopek at redhat.com>> wrote:
>>         >>>>>>>>>>>>>>>>>>>>>
>>         >>>>>>>>>>>>>>>>>>>>>> Since there is no "silent" application
>>         initiated
>>         >> action
>>         >>>>>>>>>>>>>>>>>>>>> (always
>>         >>>>>>>>>>>>>>>>>>>>>> prompts user) possible and actions are
>>         predefined at
>>         >>>>>>>>>>>>>>>>>>>>> keycloak I see no
>>         >>>>>>>>>>>>>>>>>>>>>> need for the client/application
>>         restriction mechanism.
>>         >>>>>>>>>>>>>>>>>>>>>>
>>         >>>>>>>>>>>>>>>>>>>>>> On Wed, Feb 27, 2019 at 4:23 PM Stian
>>         Thorgersen <
>>         >>>>>>>>>>>>>>>>>>>>> sthorger at redhat.com
>>         <mailto:sthorger at redhat.com>>
>>         >>>>>>>>>>>>>>>>>>>>>> wrote:
>>         >>>>>>>>>>>>>>>>>>>>>>> Keycloak currently has required
>>         actions that are used
>>         >>>>>>>>>>>>>>>>>>>>> to prompt the user
>>         >>>>>>>>>>>>>>>>>>>>>> to
>>         >>>>>>>>>>>>>>>>>>>>>>> perform an action associated with
>>         their account after
>>         >>>>>>>>>>>>>>>>>>>>> authenticating, but
>>         >>>>>>>>>>>>>>>>>>>>>>> prior to being redirected to the
>>         application.
>>         >>>>>>>>>>>>>>>>>>>>>>>
>>         >>>>>>>>>>>>>>>>>>>>>>> Examples include: configure OTP,
>>         update profile,
>>         >>>>>>>>>>>>>>>>>>>>> validate email, etc.
>>         >>>>>>>>>>>>>>>>>>>>>>> One issue here is these actions have
>>         to be manually
>>         >>>>>>>>>>>>>>>>>>>>> registered with the
>>         >>>>>>>>>>>>>>>>>>>>>>> users account, but can not be
>>         initiated by
>>         >>>>>>>>>>>>>>>>>>>>> applications themselves. As an
>>         >>>>>>>>>>>>>>>>>>>>>>> example it may not be required by all
>>         users to verify
>>         >>>>>>>>>>>>>>>>>>>>> their email, but
>>         >>>>>>>>>>>>>>>>>>>>>> only
>>         >>>>>>>>>>>>>>>>>>>>>>> when they use specific applications.
>>         >>>>>>>>>>>>>>>>>>>>>>>
>>         >>>>>>>>>>>>>>>>>>>>>>> Keycloak also needs to initiate
>>         actions from the
>>         >>>>>>>>>>>>>>>>>>>>> account management
>>         >>>>>>>>>>>>>>>>>>>>>>> console. Examples: updating email
>>         address should
>>         >>>>>>>>>>>>>>>>>>>>> require verifying the
>>         >>>>>>>>>>>>>>>>>>>>>>> email, configuring OTP, etc.
>>         >>>>>>>>>>>>>>>>>>>>>>>
>>         >>>>>>>>>>>>>>>>>>>>>>> With that in mind we are proposing to
>>         introduce
>>         >>>>>>>>>>>>>>>>>>>>> Application Initiated
>>         >>>>>>>>>>>>>>>>>>>>>>> Actions. An Application Initiated
>>         Action behind the
>>         >>>>>>>>>>>>>>>>>>>>> scenes is just a
>>         >>>>>>>>>>>>>>>>>>>>>>> Required Action, but it is initiated
>>         by an
>>         >>>>>>>>>>>>>>>>>>>>> application and depending on
>>         >>>>>>>>>>>>>>>>>>>>>> the
>>         >>>>>>>>>>>>>>>>>>>>>>> action may be optional for the user
>>         to complete
>>         >>>>>>>>>>>>>>>>>>>>> (where the user can
>>         >>>>>>>>>>>>>>>>>>>>>> select
>>         >>>>>>>>>>>>>>>>>>>>>>> cancel which would return the user
>>         back to the
>>         >>>>>>>>>>>>>>>>>>>>> application).
>>         >>>>>>>>>>>>>>>>>>>>>>> No Application Initiated Actions
>>         should perform any
>>         >>>>>>>>>>>>>>>>>>>>> updates to the users
>>         >>>>>>>>>>>>>>>>>>>>>>> account without prompting the user
>>         first. For example
>>         >>>>>>>>>>>>>>>>>>>>> an application
>>         >>>>>>>>>>>>>>>>>>>>>>> initiated action that is used to link
>>         an existing
>>         >>>>>>>>>>>>>>>>>>>>> account to a social
>>         >>>>>>>>>>>>>>>>>>>>>>> provider should ask the user first if
>>         they want to
>>         >>>>>>>>>>>>>>>>>>>>> link to the provider.
>>         >>>>>>>>>>>>>>>>>>>>>>> To make it easy for applications to
>>         integrate these I
>>         >>>>>>>>>>>>>>>>>>>>> would like to
>>         >>>>>>>>>>>>>>>>>>>>>>> leverage the standard OAuth flows
>>         that applications
>>         >>>>>>>>>>>>>>>>>>>>> use to authenticate
>>         >>>>>>>>>>>>>>>>>>>>>>> users. So to initiate verify-email
>>         action the
>>         >>>>>>>>>>>>>>>>>>>>> application would redirect
>>         >>>>>>>>>>>>>>>>>>>>>> to
>>         >>>>>>>>>>>>>>>>>>>>>>> the authentication endpoint and add
>>         kc_action=<action
>>         >>>>>>>>>>>>>>>>>>>>> alias> query
>>         >>>>>>>>>>>>>>>>>>>>>>> parameter.
>>         >>>>>>>>>>>>>>>>>>>>>>>
>>         >>>>>>>>>>>>>>>>>>>>>>> One open question I have right now
>>         is. Assuming all
>>         >>>>>>>>>>>>>>>>>>>>> Application Initiated
>>         >>>>>>>>>>>>>>>>>>>>>>> Actions always prompt the user first
>>         do we need to
>>         >>>>>>>>>>>>>>>>>>>>> add some mechanism in
>>         >>>>>>>>>>>>>>>>>>>>>>> place to restrict what
>>         clients/applications are
>>         >>>>>>>>>>>>>>>>>>>>> permitted to initiate an
>>         >>>>>>>>>>>>>>>>>>>>>>> action? Requiring that would make it
>>         harder to use
>>         >>>>>>>>>>>>>>>>>>>>> for applications.
>>         >>>>>>>>>>>>>>>>>>>>>>> One thing I would also like to add is
>>         the ability for
>>         >>>>>>>>>>>>>>>>>>>>> an Application
>>         >>>>>>>>>>>>>>>>>>>>>>> Initiated Action to require the user to
>>         >>>>>>>>>>>>>>>>>>>>> re-authenticate prior to
>>         >>>>>>>>>>>>>>>>>>>>>> performing
>>         >>>>>>>>>>>>>>>>>>>>>>> the action. For example update
>>         password should
>>         >>>>>>>>>>>>>>>>>>>>> require the user to enter
>>         >>>>>>>>>>>>>>>>>>>>>>> the current password, while verify
>>         email should not
>>         >>>>>>>>>>>>>>>>>>>>> (as it simply sends
>>         >>>>>>>>>>>>>>>>>>>>>> an
>>         >>>>>>>>>>>>>>>>>>>>>>> email with a link to continue).
>>         >>>>>>>>>>>>>>>>>>>>>>>
>>         _______________________________________________
>>         >>>>>>>>>>>>>>>>>>>>>>> keycloak-dev mailing list
>>         >>>>>>>>>>>>>>>>>>>>>>> keycloak-dev at lists.jboss.org
>>         <mailto:keycloak-dev at lists.jboss.org>
>>         >>>>>>>>>>>>>>>>>>>>>>>
>>         >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>         >>>>>>>>>>>>>>>>>>>>>
>>         _______________________________________________
>>         >>>>>>>>>>>>>>>>>>>>> keycloak-dev mailing list
>>         >>>>>>>>>>>>>>>>>>>>> keycloak-dev at lists.jboss.org
>>         <mailto:keycloak-dev at lists.jboss.org>
>>         >>>>>>>>>>>>>>>>>>>>>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>         >>>>>>>>>>>>>>>>>>>>>
>>         >>> _______________________________________________
>>         >>> keycloak-dev mailing list
>>         >>> keycloak-dev at lists.jboss.org
>>         <mailto:keycloak-dev at lists.jboss.org>
>>         >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>         >>
>>         >> _______________________________________________
>>         >> keycloak-dev mailing list
>>         >> keycloak-dev at lists.jboss.org
>>         <mailto:keycloak-dev at lists.jboss.org>
>>         >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>         > _______________________________________________
>>         > keycloak-dev mailing list
>>         > keycloak-dev at lists.jboss.org
>>         <mailto:keycloak-dev at lists.jboss.org>
>>         > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>>         _______________________________________________
>>         keycloak-dev mailing list
>>         keycloak-dev at lists.jboss.org
>>         <mailto:keycloak-dev at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>



More information about the keycloak-dev mailing list