[keycloak-dev] Silent Re-authentication using ID Token

Stian Thorgersen sthorger at redhat.com
Tue Oct 29 11:06:12 EDT 2019


[Adding what we discussed]

Authorization code flow should not be used as a backchannel API, but rather
only as a redirect-based API through the user-agent. That is pretty obvious
from the fact that all responses return a Location header. That means that
the cookie should always be there as the user is authenticated.

id_token_hint should never be used to re-authenticate, but rather only as a
hint on the identity of the user as well as the session. If the id_token
could be used to actually authenticate the user it would effectively become
a user credential and giving a client full access to the user account, with
the ability to obtain tokens for any client.

prompt=none with id_token_hint can be used as a way to identify if the
expected user is still authenticated, but only through a redirect (either
directly or with a hidden iframe), not as a backchannel mechanism.

On Fri, 25 Oct 2019 at 18:25, Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi,
>
> I would like to confirm that we don't support the `id_token_hint`
> authorization request parameter.
>
> When in conjunction with `prompt=none` it is useful to re-authenticate as
> well as check whether or not the session associated with the token is
> active through a non-authenticated request (e.g.: no cookies set by the
> OP).
>
> The use case I'm trying to solve is based on the assumption that you only
> have/keep the ID Token, you don't want a front/back channel for logout
> (e.g.: app is stateless), you need to check whether or not session is
> active, and the check is done through a backchannel communication between
> the application and the OP.
>
> Spec-wise, using either user-info or introspection endpoint is not possible
> if you only have the ID Token (although some implementations like Google
> provide an addition `id_token_hint` to the introspection endpoint) given
> that you should use the access token as a bearer.
>
> Wdyt ?
>
> Regards.
> Pedro Igor
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


More information about the keycloak-dev mailing list