Support for id_token_hint to avoid login flow again

sagarshah1983 · September 29, 2020, 3:58pm

Does keycloak support id_token_hint?
If user is already authenticated on keycloak auth server, and on click of some link within the system, if Authorization needs to happen again for the same user on auth server, can we somehow bypass login flow?
I am trying to use prompt=none and passing id_token_hint value with previously received id_token from auth server and session_state value received earlier, but that’s giving me login_required error from keycloak on the app redirect url when getting authorization code.

Here’s the example URL:
http://keycloak:9080/auth/realms/igia/protocol/openid-connect/auth?
client_id=sagar-test
&redirect_uri=http%3A%2F%2F127.0.0.1%3A9010%2Fcallback
&response_type=code
&scope=openid+launch
&state=bbb
&prompt=none
&session_state=894b7695-de61-4cd0-b1d0-9509ae65fd0d
&id_token_hint=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlYlZwVmkyaVV5anpXWTVaWHMzRE80b3RZaVJibDJpbE11N3BrYXo5RWpJIn0.eyJqdGkiOiI3M2UyOGIyNC1kM2RjLTQ0YmYtYmVmNy1lODg4YTM0NzM0ZjAiLCJleHAiOjE2MDEzOTQ4OTAsIm5iZiI6MCwiaWF0IjoxNjAxMzk0MjkwLCJpc3MiOiJodHRwOi8va2V5Y2xvYWs6OTA4MC9hdXRoL3JlYWxtcy9pZ2lhIiwiYXVkIjoic2FnYXItdGVzdCIsInN1YiI6IjRjOTczODk2LTU3NjEtNDFmYy04MjE3LTA3YzVkMTNhMDA0YiIsInR5cCI6IklEIiwiYXpwIjoic2FnYXItdGVzdCIsImF1dGhfdGltZSI6MTYwMTM5NDI4OSwic2Vzc2lvbl9zdGF0ZSI6Ijg5NGI3Njk1LWRlNjEtNGNkMC1iMWQwLTk1MDlhZTY1ZmQwZCIsImFjciI6IjEiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6IkFkbWluIEFkbWluaXN0cmF0b3IiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZG1pbiIsImdpdmVuX25hbWUiOiJBZG1pbiIsImZhbWlseV9uYW1lIjoiQWRtaW5pc3RyYXRvciIsImVtYWlsIjoiYWRtaW5AbG9jYWxob3N0In0.Yqi0N7ilYsr_fP_-7qWiTDbaiLTBRbW3p-w07D33w8LbIbhqxRHAi5FYwcYOo5HQffcjmcRetYUHBSExVpyRl0YrHON6_g02x1UJurMZPwGbDiTRMf4_xiRvDM18TnZuQEGCvN0s8xtm5wqv2jKqWSyRD6RktYZKuLssaH-wp20nryBTRv87M6-Nh1MfHa4m-Xv5nw4t_y6LWNPurwGUZRwsPGAIxeN8anFjxdf4kYUQD44etc4y1ZijZZ8lCWoSW4RWSblM7iaalqdjsVqx7fUeTXTpRptZJZiasaqT7O08Z2lN1zsA4sFHc8UgFqvIKq_2tExnNAI1A4FwGh-Kpw

Any help is appreciated!

Robbilie · February 3, 2021, 7:47pm

I would be interested in this as well, specifically for the use case of not having to log in again in the account console

fidgi · February 13, 2021, 10:16am

Hi,
I’m also interested in knowing whether Keycloak is supporting this as per OpenID Connect specification.
OpenID Connect requires that if the ID token is sent encrypted by the OP, the ID token has to be re-encrypted by the client app, with its own key shared with the OP. So an additional question, is whether Keycloak allows to use the client secret for this purpose.

Regards,

Topic		Replies	Views
Consent required even though ID_TOKEN_HINT provided Getting advice authentication , client-configuration , oidc	0	436	November 23, 2022
How to mapp login_hint to id token oidc	0	119	March 4, 2024
Identity broker logout request send to external identity provider don't contain id_token_hint Configuring the server identity-brokering , oidc	1	573	February 23, 2024
OAuth2 IDP instead of OIDC Configuring the server authentication , identity-brokering , oidc	1	1153	October 3, 2020
Direct Link IDP Getting advice	2	556	April 19, 2022

Support for id_token_hint to avoid login flow again

Related Topics