[keycloak-user] How to implement long user sso sessions with reauthentication for important actions?

Vlastimil Elias velias at redhat.com
Thu Nov 12 08:15:57 EST 2015


Hi,

I'd like to use long session authentication mechanism known from many
sites like google. facebook, linked in etc.
It is about really long user SSO sessions (eg. weeks or even months)
with reauthentication for important actions when last authentication
timestamp is older than some limit.

Is this somehow possible with current Keycloak server and Keycloak adapters?

I see few subquestions in this problem for our use:

*****
open-id connect protocol defines few auth request parameters to support
this use case, mainly max_age or prompt=login. Are they correctly
implemented in Keycloak server?


*****
Wildfly/EAP adapter - is it possible and is there some example how to
use "reauth if auth is older than 30min" action in Java app secured by
this adapter? Or is info about last auth timestamp somehow available in
the app?


*****
Keycloak user account application itself - it is part of the Keycloak
server, but it contains sensitive actions which typically require
reathentication in this long session scheme (password change, email
change, ...). Is it somehow possible to configure Keycloak to force
timeout reauth for this app?

Thanks in advance

Vl.

-- 
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team





More information about the keycloak-user mailing list