This is an interesting use case.
Adjusting an individual user session based on some criteria is possible but tricky.
But before fleshing this out, we must consider its usability without compromising security.
Use case: Lower session idle time for privileged accounts
Letâs imagine that we could make the session idle time dependent on the user, e.g. for all users with an admin role, we could limit it to a maximum of 5 minutes.
If an admin user has to work in the admin console for more than 5 minutes, they have to log in repeatedly, which is good for security but could be better in terms of usability.
To make the process more pleasant for admins while still keeping it secure, we could use a procedure that is used in the financial sector for online banking solutions.
We define a shorter max idle time for admins, e.g. 5 minutes, and display a timer that is visible to the admin user. This timer then counts down from 5 minutes. The user can extend the current admin âsessionâ by clicking on the timer again, which also resets the idle time tracker on the server side.
This approach allows the admin to work in the admin UI without the inconvenience of frequent logins, thereby enhancing their user experience.
If the admin leaves and does not extend his session, it will then expire normally with the shortened idle time.
Propagate security context information to the IdP
I think youâd rather pass the required acr_values around than LoA information.
AFAIK, the OIDC IdP support currently does not explicitly support passing values like acr_values, however we have the option to forward parameters to the idp which might help you in this regard.
If this doesnât help youâd probably need to implement your own IdentityProvider by extending the existing implementations and add extract the desired information from the current KeycloakSession / AuthSession and add appropriate paramerters to the auth/token requests send to the provider.
Approach for limiting access for âmasterâ realm users
I donât know your realm structure, but the following would work if your admins sign-in via the master realm (through an IdP), to manage the other realms.
You could force admin users to register a custom OTP authenticator in the master realm in addition to their linked IdP account. Then you could use a custom browser flow in the master realm that forces a certain LoA level which requires OTP. In the configuration for the OTP Form authenticator, you configure the âAuthenticator Reference Max Ageâ to expire after e.g. 15 mins.
With that in place. (Admin) Users who login in the master realm via the IdP need to enter the OTP code before accessing the admin-console. The OTP code remains valid for 15mins, and in during this time admins can work in the admin console without interruption. Once the 15mins run out, then the user is redirected to the OTP form when the next token request is attempted. You could adjust the access token timeout to ensure this happens quick enough.
In case you are using realm local admins for accessing the realm local security-admin-console then the workflow above needs to be adjusted a bit (e.g. with custom extensions) to only apply / and require the OTP authenticator for certain groups / roles.
As a sidenote I hope the feature Enable clients to enforce an ACR via client attribute by sonOfRa ¡ Pull Request #33205 ¡ keycloak/keycloak ¡ GitHub (minimal acr_value per client) quickly finds itâs way into the next release as it will greatly simplify expression and enforcing required authentication levels per client.
Cheers,
Thomas