[prev in list] [next in list] [prev in thread] [next in thread]
List: keycloak-dev
Subject: [keycloak-dev] external token exchange - feedback needed
From: Sebastian.Schuster () bosch-si ! com (Schuster Sebastian (INST/ESY1))
Date: 2017-09-25 7:22:15
Message-ID: b2dd67b5c4ab4155837dea662295e35e () FE-MBX1028 ! de ! bosch ! com
[Download RAW message or body]
Hi Bill,
Your token exchange approach looks good to me. I still have a few questions: What \
claim is used to do the matching? Is it email if not linked and iss/sub otherwise? \
What is the difference between IMPORT_ONLY and UNIQUE_IMPORT? What usernames would be \
created? OIDC standard claims don't seem to contain something that?s useful as a \
username..
Thanks and best regards,
Sebastian
Mit freundlichen Gr??en / Best regards
Dr.-Ing. Sebastian Schuster
Engineering and Support (INST/ESY1)
Bosch?Software Innovations?GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | \
www.bosch-si.com Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster \
at bosch-si.com
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr.-Ing. Rainer \
Kallenbach, Michael Hahn
-----Original Message-----
From: keycloak-dev-bounces@lists.jboss.org [mailto:keycloak-dev-bounces at \
lists.jboss.org] On Behalf Of Bill Burke
Sent: Freitag, 22. September 2017 16:48
To: keycloak-dev <keycloak-dev at lists.jboss.org>
Subject: Re: [keycloak-dev] external token exchange - feedback needed
Was thinking about this more... I'll have a switch "Allow Token Exchange"
I'll also define an import policy:
* EXISTING-ONLY - must match existing account. No link created. No import.
* IMPORT - may match existing account. Link is created/updated
* IMPORT-ONLY - must not match existing account unless previously
linked. Link is created/updated.
* UNIQUE_IMPORT - must not match existing account unless previously imported. must \
create a username that is specific to the provider. Link is created/updated.
For all above policies, realm duplicate email policy applies.
On Thu, Sep 21, 2017 at 4:05 PM, Bill Burke <bburke at redhat.com> wrote:
> I'm almost done implementing external token exchange where you can
> provide an external OIDC token and exchange it for a Keycloak one.
> Need some feedback though.
>
> * first broker flow and post broker flows won't be executed. Can't,
> its a non-browser flow.
> * mappers are run.
> * logout will not logout broker session
> * If duplicate emails exist, abort, 403
> * If duplicate username exists, abort, 403.
>
> The feedback I need is on duplicates. We might have the case where
> username is unique across different realms. Should I have a switch
> that will use existing user? Maybe an additional switch to not create
> a link? Maybe I should have an exchange flow?
>
>
> --
> Bill Burke
> Red Hat
--
Bill Burke
Red Hat
_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic