[keycloak-user] Forcing reauthentication from a client, even when session is active
John D. Ament
john.d.ament at gmail.com
Mon Mar 6 10:09:29 EST 2017
At least for my use case, the max_age is moot. Its not by session, but by
And just to be clear - if I'm sending an OIDC request from my client to
keycloak, and the realm is based on SAML, and that realm is ForceAuthn
enabled, then it would reprompt in the IDP (if that's how everything's
configured)
I'm assuming at that point, I would send a Bearer header and parse on the
backend with a JAX-RS adapter?
On Mon, Mar 6, 2017 at 10:04 AM Stian Thorgersen <sthorger at redhat.com>
wrote:
> As we have prompt=login (I also spotted auth_time in the token) it would be
> really easy to add max_age that would actually be more useful than
> prompt=login IMO.
>
> On 6 March 2017 at 15:41, Bill Burke <bburke at redhat.com> wrote:
>
> > We support prompt=login.
> >
> >
> > On 3/6/17 9:33 AM, Stian Thorgersen wrote:
> > > OIDC has prompt=login and max_age params for it. Pretty sure we don't
> > > support either at the moment though.
> > >
> > > On 6 March 2017 at 15:14, John D. Ament <john.d.ament at gmail.com>
> wrote:
> > >
> > >> On Mon, Mar 6, 2017 at 9:12 AM John Dennis <jdennis at redhat.com>
> wrote:
> > >>
> > >>> On 03/06/2017 08:47 AM, John D. Ament wrote:
> > >>>> Hi,
> > >>>>
> > >>>> I have a use case where I need to reauthenticate a client, even if
> > >> their
> > >>>> session is active. I can use the Keycloak javascript adapter on the
> > >>> client
> > >>>> side, if needed, and was wondering if this is something built in? I
> > >> was
> > >>>> also expecting to leverage either the OIDC or SAML adapter on the
> > >> server
> > >>>> side. Can that work, regardless or server side adapter?
> > >>> In SAML you set ForceAuthn=True in the AuthnRequest.
> > >>>
> > >>>
> > >> This is not SAML specific.
> > >>
> > >>
> > >>> --
> > >>> John
> > >>> _______________________________________________
> > >>> keycloak-user mailing list
> > >>> keycloak-user at lists.jboss.org
> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>>
> > >> _______________________________________________
> > >> keycloak-user mailing list
> > >> keycloak-user at lists.jboss.org
> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list