[keycloak-dev] Refresh token expires too
Corinne Krych
corinnekrych at gmail.com
Wed Oct 15 14:28:57 EDT 2014
https://issues.jboss.org/browse/KEYCLOAK-760
On 15 Oct 2014, at 18:11, Bill Burke <bburke at redhat.com> wrote:
> Submit a jira please.
>
> On 10/15/2014 12:04 PM, Corinne Krych wrote:
>> if you asked me, i think providing expiration date in json response (i.e.: second choice in your list) makes it clear that refresh tokens do expire and it's easier on client side refersh token dealing (not need to decode tokens etc…).
>>
>> ++
>> Corinne
>>
>> On 15 Oct 2014, at 17:35, Bill Burke <bburke at redhat.com> wrote:
>>
>>> There's a few things we could do:
>>>
>>> * Expand the public realm REST interface to include information about
>>> timeouts
>>> * oauth alreayd requires that access token response json document
>>> contains an access token timeout, we could include the refresh tieout too.
>>> * Then again, you could just decode the refresh token :)
>>>
>>> On 10/15/2014 11:20 AM, Corinne Krych wrote:
>>>> Hello Keycloak
>>>>
>>>> Today I run into an issue [1] related to the fact that in Keycloak server, refresh tokens are:
>>>> - renewed after each refresh token request. as described in second paragraph here http://tools.ietf.org/html/rfc6749#section-10.4,
>>>> - expirable, which is more a surprise to me. (nothing like that in oauth2 spec)
>>>>
>>>> So for iOS sdk we’ll need to adjust our logic in here [2] and cater to the fact that if refresh token is expired we’ll need to go through grant ptopup again.
>>>> To get refresh token expriation date one way is ask to renew refresh and hit a 400, "Refresh token expired” or decode refresh token as done in key cloak.js [3].
>>>>
>>>> Thanks @mposolda for the links.
>>>>
>>>> @summers @passos: I guess it’s something you’ll need to consider too for Android sdk.
>>>>
>>>> ++
>>>> Corinne
>>>> ——————
>>>> AeroGear iOS tech lead
>>>>
>>>> [1] https://issues.jboss.org/browse/AGIOS-294
>>>> [2] https://github.com/aerogear/aerogear-ios-oauth2/blob/master/AeroGearOAuth2/OAuth2Module.swift#L145
>>>> [3] https://github.com/keycloak/keycloak/blob/master/integration/js/src/main/resources/keycloak.js#L216, https://github.com/keycloak/keycloak/blob/master/integration/js/src/main/resources/keycloak.js#L462
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://lists.jboss.org/pipermail/keycloak-dev/attachments/20141015/5d23ab1b/attachment-0001.bin
More information about the keycloak-dev
mailing list