[keycloak-user] How to implement long user sso sessions with reauthentication for important actions?

Vlastimil Elias velias at redhat.com
Thu Nov 12 08:49:18 EST 2015 

Thanks for quick reply Stian.

I'm going to create JIRAs for all these things. I can volunter to
implement some parts of this.

For the last one, it should be probably cool to have "reauthenticate
timeout" setting available in client section for every client (not only
internal admin console and account management). It should allow simple
implementation of "long user sso session" scheme even in environments
where some clients can't be updated to set max_age on protocol level.

Vl.

On 12.11.2015 14:39, Stian Thorgersen wrote:
>
>
> On 12 November 2015 at 14:15, Vlastimil Elias <velias at redhat.com
> <mailto:velias at redhat.com>> wrote:
>
>     Hi,
>
>     I'd like to use long session authentication mechanism known from many
>     sites like google. facebook, linked in etc.
>     It is about really long user SSO sessions (eg. weeks or even months)
>     with reauthentication for important actions when last authentication
>     timestamp is older than some limit.
>
>     Is this somehow possible with current Keycloak server and Keycloak
>     adapters?
>
>     I see few subquestions in this problem for our use:
>
>     *****
>     open-id connect protocol defines few auth request parameters to
>     support
>     this use case, mainly max_age or prompt=login. Are they correctly
>     implemented in Keycloak server?
>
>
> We don't have support for max_age and we only support prompt=none so
> these would have to be added
>  
>
>
>
>     *****
>     Wildfly/EAP adapter - is it possible and is there some example how to
>     use "reauth if auth is older than 30min" action in Java app secured by
>     this adapter? Or is info about last auth timestamp somehow
>     available in
>     the app?
>
>
> We don't set auth_time claim ATM so answer is no
>  
>
>
>
>     *****
>     Keycloak user account application itself - it is part of the Keycloak
>     server, but it contains sensitive actions which typically require
>     reathentication in this long session scheme (password change, email
>     change, ...). Is it somehow possible to configure Keycloak to force
>     timeout reauth for this app?
>
>
> Not at the moment - but if we add what you want it would also make
> sense to add that. Would need to be configurable through the admin
> console. Would also be nice to have the same for the admin console itself.
>  
>
>
>     Thanks in advance
>
>     Vl.
>
>     --
>     Vlastimil Elias
>     Principal Software Engineer
>     Developer Portal Engineering Team
>
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-- 
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/ec68851c/attachment.html

More information about the keycloak-user mailing list