[keycloak-dev] Silent Re-authentication using ID Token
Pedro Igor Silva
psilva at redhat.com
Fri Oct 25 12:22:32 EDT 2019
Hi,
I would like to confirm that we don't support the `id_token_hint`
authorization request parameter.
When in conjunction with `prompt=none` it is useful to re-authenticate as
well as check whether or not the session associated with the token is
active through a non-authenticated request (e.g.: no cookies set by the OP).
The use case I'm trying to solve is based on the assumption that you only
have/keep the ID Token, you don't want a front/back channel for logout
(e.g.: app is stateless), you need to check whether or not session is
active, and the check is done through a backchannel communication between
the application and the OP.
Spec-wise, using either user-info or introspection endpoint is not possible
if you only have the ID Token (although some implementations like Google
provide an addition `id_token_hint` to the introspection endpoint) given
that you should use the access token as a bearer.
Wdyt ?
Regards.
Pedro Igor
More information about the keycloak-dev
mailing list