[keycloak-user] How to implement long user sso sessions with reauthentication for important actions?

Stian Thorgersen sthorger at redhat.com
Thu Nov 12 08:50:45 EST 2015


On 12 November 2015 at 14:49, Vlastimil Elias <velias at redhat.com> wrote:

> Thanks for quick reply Stian.
>
> I'm going to create JIRAs for all these things. I can volunter to
> implement some parts of this.
>
> For the last one, it should be probably cool to have "reauthenticate
> timeout" setting available in client section for every client (not only
> internal admin console and account management). It should allow simple
> implementation of "long user sso session" scheme even in environments where
> some clients can't be updated to set max_age on protocol level.
>

Yep, that makes sense


>
> Vl.
>
>
> On 12.11.2015 14:39, Stian Thorgersen wrote:
>
>
>
> On 12 November 2015 at 14:15, Vlastimil Elias < <velias at redhat.com>
> velias at redhat.com> wrote:
>
>> Hi,
>>
>> I'd like to use long session authentication mechanism known from many
>> sites like google. facebook, linked in etc.
>> It is about really long user SSO sessions (eg. weeks or even months)
>> with reauthentication for important actions when last authentication
>> timestamp is older than some limit.
>>
>> Is this somehow possible with current Keycloak server and Keycloak
>> adapters?
>>
>> I see few subquestions in this problem for our use:
>>
>> *****
>> open-id connect protocol defines few auth request parameters to support
>> this use case, mainly max_age or prompt=login. Are they correctly
>> implemented in Keycloak server?
>>
>
> We don't have support for max_age and we only support prompt=none so these
> would have to be added
>
>
>>
>>
>> *****
>> Wildfly/EAP adapter - is it possible and is there some example how to
>> use "reauth if auth is older than 30min" action in Java app secured by
>> this adapter? Or is info about last auth timestamp somehow available in
>> the app?
>>
>
> We don't set auth_time claim ATM so answer is no
>
>
>>
>>
>> *****
>> Keycloak user account application itself - it is part of the Keycloak
>> server, but it contains sensitive actions which typically require
>> reathentication in this long session scheme (password change, email
>> change, ...). Is it somehow possible to configure Keycloak to force
>> timeout reauth for this app?
>>
>
> Not at the moment - but if we add what you want it would also make sense
> to add that. Would need to be configurable through the admin console. Would
> also be nice to have the same for the admin console itself.
>
>
>>
>> Thanks in advance
>>
>> Vl.
>>
>> --
>> Vlastimil Elias
>> Principal Software Engineer
>> Developer Portal Engineering Team
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> --
> Vlastimil Elias
> Principal Software Engineer
> Developer Portal Engineering Team
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/7acc0797/attachment.html 


More information about the keycloak-user mailing list