Details
-
Feature Request
-
Status: Closed
-
Major
-
Resolution:
Out of Date
-
4.8.3.Final
-
None
-
None
-
Documentation (Ref Guide, User Guide, etc.)
-
NEW
-
NEW
Description
Currently java adapters have some way to "customize" the login request sent to OIDC authentication endpoint. This is possible through "Parameters forwarding" to add things like custom "scope", "prompt" etc. However parameter forwarding is impossible to use if user is already authenticated. Hence things like for example "Incremental scope" are not easily possible now.
It will be nice to have easy way in java adapter to re-trigger redirection to OIDC authentication endpoint in case that user is already authenticated. This will be nice to support things like Incremental scope, Incremental authentication and many other use-cases.
The possible API how it will look like in the user's application, which want to re-trigger login (bypass SSO) and add additional scope to current scope (Incremental scope use-case) :
KeycloakLoginRedirect loginRedirect = KeycloakLoginRedirectBuilder .scope(currentAccessToken.getScope() + " phone") .prompt("login") .build(); // This will ensure that adapter will do all necessary things (EG. generate and save "state" ) getKeycloakSecurityContext().sendRedirectToLogin(loginRedirect);
Attachments
Issue Links
- is related to
-
KEYCLOAK-8985 need support for additional scope in servlet client adapters (Incremental scope)
-
- Closed
-
1.
|
Support for reauthentication in Wildfly/EAP adapter |
|
Closed | |
Unassigned |