[keycloak-user] Forcing reauthentication from a client, even when session is active
John D. Ament
john.d.ament at gmail.com
Wed Mar 8 07:54:15 EST 2017
So one question though - and its my lack of familiarity with Keycloak. If
I'm using the javascript adapter, do I have to use the OIDC connector on
the server side? Or would I have two clients (one backend and one frontend)?
I still have the need to support IDP initiated, and can spin up a backend
to handle that without an issue, but this forcing re-authentication is
basically client side, and always represents an SP initiated action
(regardless of SAML or OIDC).
John
On Tue, Mar 7, 2017 at 11:33 AM Marek Posolda <mposolda at redhat.com> wrote:
> +1
>
> We already have support for max_age on the server including some support
> in keycloak.js . That was recommended for OIDC certification. Seems that
> the only missing part will be the support in the admin console itself.
>
> Marek
>
> On 07/03/17 09:13, Stian Thorgersen wrote:
> > True, I was focusing just on require re-auth every X min. I reckon we
> > should add max_age and use it for the admin console with a
> > sensible/configurable timeout.
> >
> > On 6 March 2017 at 16:11, Bill Burke <bburke at redhat.com> wrote:
> >
> >> prompt=login is just as useful. It allows applications to require
> >> re-authentication in order to perform a specific action in the app.
> >>
> >> On 3/6/17 9:55 AM, Stian Thorgersen wrote:
> >>
> >> As we have prompt=login (I also spotted auth_time in the token) it would
> >> be really easy to add max_age that would actually be more useful than
> >> prompt=login IMO.
> >>
> >> On 6 March 2017 at 15:41, Bill Burke <bburke at redhat.com> wrote:
> >>
> >>> We support prompt=login.
> >>>
> >>>
> >>> On 3/6/17 9:33 AM, Stian Thorgersen wrote:
> >>>> OIDC has prompt=login and max_age params for it. Pretty sure we don't
> >>>> support either at the moment though.
> >>>>
> >>>> On 6 March 2017 at 15:14, John D. Ament <john.d.ament at gmail.com>
> wrote:
> >>>>
> >>>>> On Mon, Mar 6, 2017 at 9:12 AM John Dennis <jdennis at redhat.com>
> wrote:
> >>>>>
> >>>>>> On 03/06/2017 08:47 AM, John D. Ament wrote:
> >>>>>>> Hi,
> >>>>>>>
> >>>>>>> I have a use case where I need to reauthenticate a client, even if
> >>>>> their
> >>>>>>> session is active. I can use the Keycloak javascript adapter on
> the
> >>>>>> client
> >>>>>>> side, if needed, and was wondering if this is something built in?
> I
> >>>>> was
> >>>>>>> also expecting to leverage either the OIDC or SAML adapter on the
> >>>>> server
> >>>>>>> side. Can that work, regardless or server side adapter?
> >>>>>> In SAML you set ForceAuthn=True in the AuthnRequest.
> >>>>>>
> >>>>>>
> >>>>> This is not SAML specific.
> >>>>>
> >>>>>
> >>>>>> --
> >>>>>> John
> >>>>>> _______________________________________________
> >>>>>> keycloak-user mailing list
> >>>>>> keycloak-user at lists.jboss.org
> >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>>>
> >>>>> _______________________________________________
> >>>>> keycloak-user mailing list
> >>>>> keycloak-user at lists.jboss.org
> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>>
> >>>> _______________________________________________
> >>>> keycloak-user mailing list
> >>>> keycloak-user at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >>
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list