[keycloak-user] Forcing reauthentication from a client, even when session is active
Bill Burke
bburke at redhat.com
Mon Mar 6 10:18:10 EST 2017
Don't know what you're talking about John....
A realm isn't SAML or OIDC based. The protocol is the choice of each
individual client application. Keycloak allows a mix of SAML and OIDC
client applications in the same SSO login session. In a brokering
situation a child IDP acts as a client to the parent IDP and must use
one of the protocols that the parent IDP supports.
On 3/6/17 10:09 AM, John D. Ament wrote:
> At least for my use case, the max_age is moot. Its not by session,
> but by
>
> And just to be clear - if I'm sending an OIDC request from my client
> to keycloak, and the realm is based on SAML, and that realm is
> ForceAuthn enabled, then it would reprompt in the IDP (if that's how
> everything's configured)
>
> I'm assuming at that point, I would send a Bearer header and parse on
> the backend with a JAX-RS adapter?
>
> On Mon, Mar 6, 2017 at 10:04 AM Stian Thorgersen <sthorger at redhat.com
> <mailto:sthorger at redhat.com>> wrote:
>
> As we have prompt=login (I also spotted auth_time in the token) it
> would be
> really easy to add max_age that would actually be more useful than
> prompt=login IMO.
>
> On 6 March 2017 at 15:41, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
> > We support prompt=login.
> >
> >
> > On 3/6/17 9:33 AM, Stian Thorgersen wrote:
> > > OIDC has prompt=login and max_age params for it. Pretty sure
> we don't
> > > support either at the moment though.
> > >
> > > On 6 March 2017 at 15:14, John D. Ament
> <john.d.ament at gmail.com <mailto:john.d.ament at gmail.com>> wrote:
> > >
> > >> On Mon, Mar 6, 2017 at 9:12 AM John Dennis
> <jdennis at redhat.com <mailto:jdennis at redhat.com>> wrote:
> > >>
> > >>> On 03/06/2017 08:47 AM, John D. Ament wrote:
> > >>>> Hi,
> > >>>>
> > >>>> I have a use case where I need to reauthenticate a client,
> even if
> > >> their
> > >>>> session is active. I can use the Keycloak javascript
> adapter on the
> > >>> client
> > >>>> side, if needed, and was wondering if this is something
> built in? I
> > >> was
> > >>>> also expecting to leverage either the OIDC or SAML adapter
> on the
> > >> server
> > >>>> side. Can that work, regardless or server side adapter?
> > >>> In SAML you set ForceAuthn=True in the AuthnRequest.
> > >>>
> > >>>
> > >> This is not SAML specific.
> > >>
> > >>
> > >>> --
> > >>> John
> > >>> _______________________________________________
> > >>> keycloak-user mailing list
> > >>> keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>>
> > >> _______________________________________________
> > >> keycloak-user mailing list
> > >> keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list