[keycloak-user] Forcing reauthentication from a client, even when session is active

Marek Posolda mposolda at redhat.com
Tue Mar 7 11:12:04 EST 2017


+1

We already have support for max_age on the server including some support 
in keycloak.js . That was recommended for OIDC certification. Seems that 
the only missing part will be the support in the admin console itself.

Marek

On 07/03/17 09:13, Stian Thorgersen wrote:
> True, I was focusing just on require re-auth every X min. I reckon we
> should add max_age and use it for the admin console with a
> sensible/configurable timeout.
>
> On 6 March 2017 at 16:11, Bill Burke <bburke at redhat.com> wrote:
>
>> prompt=login is just as useful.  It allows applications to require
>> re-authentication in order to perform a specific action in the app.
>>
>> On 3/6/17 9:55 AM, Stian Thorgersen wrote:
>>
>> As we have prompt=login (I also spotted auth_time in the token) it would
>> be really easy to add max_age that would actually be more useful than
>> prompt=login IMO.
>>
>> On 6 March 2017 at 15:41, Bill Burke <bburke at redhat.com> wrote:
>>
>>> We support prompt=login.
>>>
>>>
>>> On 3/6/17 9:33 AM, Stian Thorgersen wrote:
>>>> OIDC has prompt=login and max_age params for it. Pretty sure we don't
>>>> support either at the moment though.
>>>>
>>>> On 6 March 2017 at 15:14, John D. Ament <john.d.ament at gmail.com> wrote:
>>>>
>>>>> On Mon, Mar 6, 2017 at 9:12 AM John Dennis <jdennis at redhat.com> wrote:
>>>>>
>>>>>> On 03/06/2017 08:47 AM, John D. Ament wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I have a use case where I need to reauthenticate a client, even if
>>>>> their
>>>>>>> session is active.  I can use the Keycloak javascript adapter on the
>>>>>> client
>>>>>>> side, if needed, and was wondering if this is something built in?  I
>>>>> was
>>>>>>> also expecting to leverage either the OIDC or SAML adapter on the
>>>>> server
>>>>>>> side.  Can that work, regardless or server side adapter?
>>>>>> In SAML you set ForceAuthn=True in the AuthnRequest.
>>>>>>
>>>>>>
>>>>> This is not SAML specific.
>>>>>
>>>>>
>>>>>> --
>>>>>> John
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




More information about the keycloak-user mailing list