[keycloak-dev] Refresh token expires too

Corinne Krych corinnekrych at gmail.com
Wed Oct 15 12:04:19 EDT 2014 

if you asked me, i think providing expiration date in json response (i.e.: second choice in your list) makes it clear that refresh tokens do expire and it's easier on client side refersh token dealing (not need to decode tokens etc…).

++
Corinne

On 15 Oct 2014, at 17:35, Bill Burke <bburke at redhat.com> wrote:

> There's a few things we could do:
> 
> * Expand the public realm REST interface to include information about 
> timeouts
> * oauth alreayd requires that access token response json document 
> contains an access token timeout, we could include the refresh tieout too.
> * Then again, you could just decode the refresh token :)
> 
> On 10/15/2014 11:20 AM, Corinne Krych wrote:
>> Hello Keycloak
>> 
>> Today I run into an issue [1] related to the fact that in Keycloak server, refresh tokens are:
>> - renewed after each refresh token request. as described in second paragraph here http://tools.ietf.org/html/rfc6749#section-10.4,
>> - expirable, which is more a surprise to me. (nothing like that in oauth2 spec)
>> 
>> So for iOS sdk we’ll need to adjust our logic in here [2] and cater to the fact that if refresh token is expired we’ll need to go through grant ptopup again.
>> To get refresh token expriation date one way is ask to renew refresh and hit a 400, "Refresh token expired” or decode refresh token as done in key cloak.js [3].
>> 
>> Thanks @mposolda for the links.
>> 
>> @summers @passos: I guess it’s something you’ll need to consider too for Android sdk.
>> 
>> ++
>> Corinne
>> ——————
>> AeroGear iOS tech lead
>> 
>> [1] https://issues.jboss.org/browse/AGIOS-294
>> [2] https://github.com/aerogear/aerogear-ios-oauth2/blob/master/AeroGearOAuth2/OAuth2Module.swift#L145
>> [3] https://github.com/keycloak/keycloak/blob/master/integration/js/src/main/resources/keycloak.js#L216, https://github.com/keycloak/keycloak/blob/master/integration/js/src/main/resources/keycloak.js#L462
>> 
>> 
>> 
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> 
> 
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://lists.jboss.org/pipermail/keycloak-dev/attachments/20141015/9319e536/attachment.bin

More information about the keycloak-dev mailing list