keycloak-scim/securing_apps/topics/oidc/java/params_forwarding.adoc

[[params_forwarding]]
==== Parameters Forwarding

The {project_name}  initial authorization endpoint request has support for various parameters. Most of the parameters are described in
https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint[OIDC specification]. Some parameters are added automatically by the adapter based
on the adapter configuration. However, there are also a few parameters that can be added on a per-invocation basis. When you open the secured application URI,
the particular parameter will be forwarded to the {project_name} authorization endpoint.

For example, if you request an offline token, then you can open the secured application URI with the `scope` parameter like:

[source]
----
http://myappserver/mysecuredapp?scope=offline_access
----

and the parameter `scope=offline_access` will be automatically forwarded to the {project_name} authorization endpoint.

The supported parameters are:

* scope - Use a space-delimited list of scopes. A space-delimited list typically references link:{adminguide_link}#_client_scopes[Client scopes]
defined on particular client. Note that the scope `openid` will be always be added to the list of scopes by the adapter. For example, if you
enter the scope options `address phone`, then the request to {project_name} will contain the scope parameter `scope=openid address phone`.

* prompt - {project_name} supports these settings:
** `login` - SSO will be ignored and the {project_name} login page will be always shown, even if the user is already authenticated
** `consent` - Applicable only for the clients with `Consent Required`. If it is used, the Consent page will always be displayed,
even if the user previously granted consent to this client.
** `none` - The login page will never be shown; instead the user will be redirected to the application, with an error if the user
is not yet authenticated. This setting allows you to create a filter/interceptor on the application side and show a custom error page
to the user. See more details in the specification.

* max_age - Used only if a user is already authenticated. Specifies maximum permitted time for the authentication to persist, measured
from when the user authenticated. If user is authenticated longer than `maxAge`, the SSO is ignored and he must re-authenticate.

* login_hint - Used to pre-fill the username/email field on the login form.

* kc_idp_hint - Used to tell {project_name} to skip showing login page and automatically redirect to specified identity provider instead.
More info in the link:{adminguide_link}#_client_suggested_idp[Identity Provider documentation].

Most of the parameters are described in the https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint[OIDC specification].
The only exception is parameter `kc_idp_hint`, which is specific to {project_name} and contains the name of the identity provider to automatically use.
For more information see the `Identity Brokering` section in link:{adminguide_link}[{adminguide_name}].

WARNING: If you open the URL using the attached parameters, the adapter will not redirect you to {project_name} if you are already authenticated
in the application. For example, opening $$http://myappserver/mysecuredapp?prompt=login$$ will not automatically redirect you to
the {project_name} login page if you are already authenticated to the application `mysecredapp` . This behavior may be changed in the future.
fixed Wildfly mentions and faulty links with underscores 2019-01-21 16:15:22 +00:00			`[[params_forwarding]]`
KEYCLOAK-3318 Documentation for parameters forwarding from adapter. More docs for prompt and max_age 2016-07-21 16:58:14 +00:00			`==== Parameters Forwarding`

Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`The {project_name} initial authorization endpoint request has support for various parameters. Most of the parameters are described in`
Update http://openid.net to https://openid.net 2018-09-05 22:10:36 +00:00			`https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint[OIDC specification]. Some parameters are added automatically by the adapter based`
fixed hard-coded link issue, cleaned up wording, and added build script 2016-12-01 20:01:51 +00:00			`on the adapter configuration. However, there are also a few parameters that can be added on a per-invocation basis. When you open the secured application URI,`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`the particular parameter will be forwarded to the {project_name} authorization endpoint.`
KEYCLOAK-3318 Documentation for parameters forwarding from adapter. More docs for prompt and max_age 2016-07-21 16:58:14 +00:00
fixed hard-coded link issue, cleaned up wording, and added build script 2016-12-01 20:01:51 +00:00			For example, if you request an offline token, then you can open the secured application URI with the `scope` parameter like:
KEYCLOAK-3318 Documentation for parameters forwarding from adapter. More docs for prompt and max_age 2016-07-21 16:58:14 +00:00
			`[source]`
			`----`
			`http://myappserver/mysecuredapp?scope=offline_access`
			`----`

Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			and the parameter `scope=offline_access` will be automatically forwarded to the {project_name} authorization endpoint.
KEYCLOAK-3318 Documentation for parameters forwarding from adapter. More docs for prompt and max_age 2016-07-21 16:58:14 +00:00
fixed hard-coded link issue, cleaned up wording, and added build script 2016-12-01 20:01:51 +00:00			`The supported parameters are:`
KEYCLOAK-3318 Documentation for parameters forwarding from adapter. More docs for prompt and max_age 2016-07-21 16:58:14 +00:00
KEYCLOAK-7075 Client scopes documentation (#389) 2018-06-08 13:39:15 +00:00			`* scope - Use a space-delimited list of scopes. A space-delimited list typically references link:{adminguide_link}#_client_scopes[Client scopes]`
			defined on particular client. Note that the scope `openid` will be always be added to the list of scopes by the adapter. For example, if you
			enter the scope options `address phone`, then the request to {project_name} will contain the scope parameter `scope=openid address phone`.
KEYCLOAK-3318 Documentation for parameters forwarding from adapter. More docs for prompt and max_age 2016-07-21 16:58:14 +00:00
KEYCLOAK-7471 Improve adapter documentation for parameters-forwarding and prompt 2018-05-30 09:54:47 +00:00			`* prompt - {project_name} supports these settings:`
			** `login` - SSO will be ignored and the {project_name} login page will be always shown, even if the user is already authenticated
KEYCLOAK-7437 Support for prompt=consent 2018-08-29 10:05:35 +00:00			** `consent` - Applicable only for the clients with `Consent Required`. If it is used, the Consent page will always be displayed,
			`even if the user previously granted consent to this client.`
KEYCLOAK-7471 Improve adapter documentation for parameters-forwarding and prompt 2018-05-30 09:54:47 +00:00			** `none` - The login page will never be shown; instead the user will be redirected to the application, with an error if the user
			`is not yet authenticated. This setting allows you to create a filter/interceptor on the application side and show a custom error page`
			`to the user. See more details in the specification.`
KEYCLOAK-3318 Documentation for parameters forwarding from adapter. More docs for prompt and max_age 2016-07-21 16:58:14 +00:00
KEYCLOAK-7075 Client scopes documentation (#389) 2018-06-08 13:39:15 +00:00			`* max_age - Used only if a user is already authenticated. Specifies maximum permitted time for the authentication to persist, measured`
			from when the user authenticated. If user is authenticated longer than `maxAge`, the SSO is ignored and he must re-authenticate.
KEYCLOAK-3318 Documentation for parameters forwarding from adapter. More docs for prompt and max_age 2016-07-21 16:58:14 +00:00
KEYCLOAK-7075 Client scopes documentation (#389) 2018-06-08 13:39:15 +00:00			`* login_hint - Used to pre-fill the username/email field on the login form.`
KEYCLOAK-3318 Documentation for parameters forwarding from adapter. More docs for prompt and max_age 2016-07-21 16:58:14 +00:00
KEYCLOAK-7075 Client scopes documentation (#389) 2018-06-08 13:39:15 +00:00			`* kc_idp_hint - Used to tell {project_name} to skip showing login page and automatically redirect to specified identity provider instead.`
			`More info in the link:{adminguide_link}#_client_suggested_idp[Identity Provider documentation].`
KEYCLOAK-3318 Documentation for parameters forwarding from adapter. More docs for prompt and max_age 2016-07-21 16:58:14 +00:00
Update http://openid.net to https://openid.net 2018-09-05 22:10:36 +00:00			`Most of the parameters are described in the https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint[OIDC specification].`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			The only exception is parameter `kc_idp_hint`, which is specific to {project_name} and contains the name of the identity provider to automatically use.
			For more information see the `Identity Brokering` section in link:{adminguide_link}[{adminguide_name}].
KEYCLOAK-7471 Improve adapter documentation for parameters-forwarding and prompt 2018-05-30 09:54:47 +00:00
			`WARNING: If you open the URL using the attached parameters, the adapter will not redirect you to {project_name} if you are already authenticated`
			`in the application. For example, opening $$http://myappserver/mysecuredapp?prompt=login$$ will not automatically redirect you to`
			the {project_name} login page if you are already authenticated to the application `mysecredapp` . This behavior may be changed in the future.