[keycloak-user] How to implement long user sso sessions with reauthentication for important actions?

Vlastimil Elias velias at redhat.com
Thu Nov 12 09:00:57 EST 2015 

BTW even SAML2 protocol has ForceAuthn="true" attribute in the
AuthnRequest. Is it supported in Keycloak?

Vl.

On 12.11.2015 14:39, Stian Thorgersen wrote:
>
>
> On 12 November 2015 at 14:15, Vlastimil Elias <velias at redhat.com
> <mailto:velias at redhat.com>> wrote:
>
>     Hi,
>
>     I'd like to use long session authentication mechanism known from many
>     sites like google. facebook, linked in etc.
>     It is about really long user SSO sessions (eg. weeks or even months)
>     with reauthentication for important actions when last authentication
>     timestamp is older than some limit.
>
>     Is this somehow possible with current Keycloak server and Keycloak
>     adapters?
>
>     I see few subquestions in this problem for our use:
>
>     *****
>     open-id connect protocol defines few auth request parameters to
>     support
>     this use case, mainly max_age or prompt=login. Are they correctly
>     implemented in Keycloak server?
>
>
> We don't have support for max_age and we only support prompt=none so
> these would have to be added
>  
>
>
>
>     *****
>     Wildfly/EAP adapter - is it possible and is there some example how to
>     use "reauth if auth is older than 30min" action in Java app secured by
>     this adapter? Or is info about last auth timestamp somehow
>     available in
>     the app?
>
>
> We don't set auth_time claim ATM so answer is no
>  
>
>
>
>     *****
>     Keycloak user account application itself - it is part of the Keycloak
>     server, but it contains sensitive actions which typically require
>     reathentication in this long session scheme (password change, email
>     change, ...). Is it somehow possible to configure Keycloak to force
>     timeout reauth for this app?
>
>
> Not at the moment - but if we add what you want it would also make
> sense to add that. Would need to be configurable through the admin
> console. Would also be nice to have the same for the admin console itself.
>  
>
>
>     Thanks in advance
>
>     Vl.
>
>     --
>     Vlastimil Elias
>     Principal Software Engineer
>     Developer Portal Engineering Team
>
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-- 
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/28f65d9a/attachment.html

More information about the keycloak-user mailing list