feat: add step up auth flow in keycloak example #11592
Conversation
|
Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes. |
|
| "alias" : "loa level 2", | ||
| "config" : { | ||
| "loa-condition-level" : "2", | ||
| "loa-max-age" : "36000" |
There was a problem hiding this comment.
Suggestion: For demonstration purposes token expiry for level 2 can be shorter than level 1
There was a problem hiding this comment.
I think that's the default value, so I'd keep it for now. If we need to change it to test something, it can be changed both from this configuration file as well as from the web UI
| "clientSessionMaxLifespan": "0", | ||
| "organizationsEnabled": "false" | ||
| "organizationsEnabled": "false", | ||
| "acr.loa.map" : "{\"regular\":\"1\",\"advanced\":\"2\"}" |
There was a problem hiding this comment.
IIRC: No acr in request to keycloak will be level 1, isn't it?
There was a problem hiding this comment.
If no explicit level is requested by parameters, the Keycloak will require the authentication with the first LoA condition found in the authentication flow, such as the Username/Password in the preceding example. When a user was already authenticated with that level and that level expired, the user is not required to re-authenticate, but acr in the token will have the value 0. This result is considered as authentication based solely on long-lived browser cookie as mentioned in the section 2 of OIDC Core 1.0 specification.
That's what I've found in the keycloak docs (in https://www.keycloak.org/docs/latest/server_admin/index.html#_step-up-flow, check for "Flow logic" section)
|
Thank you for referencing the Keycloak docs and the playground. Looks good to me! |
feat: add step up auth flow in keycloak example
feat: add step up auth flow in keycloak example
Description
Configuration changes for keycloak in order to provide a login flow with step up mechanism as described in https://www.keycloak.org/docs/latest/server_admin/index.html#_step-up-flow.
Note that the changes shouldn't affect the current setup, and the "new" authentication flow isn't active by default.
In order to activate it:
At the moment, the server won't do anything with the new information, and the clients don't support the feature (not tested, but they might have problems). You can use https://playground.please-open.it/ to play around
Related Issue
Preparations for https://github.com/owncloud/enterprise/issues/7292
Motivation and Context
How Has This Been Tested?
Screenshots (if appropriate):
Types of changes
Checklist: