[keycloak-dev] Offline tokens

Mon Aug 31 05:38:15 EDT 2015

----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Friday, 21 August, 2015 2:09:31 PM
> Subject: Re: [keycloak-dev] Offline tokens
> 
> On 21/08/15 13:30, Marek Posolda wrote:
> > Some thoughts around offline tokens impl:
> >
> > - Client has switch "Allow offline tokens" . Offline token can be
> > requested just if the switch is enabled
> >
> > - Offline token can be requested if parameter "scope=offline" is sent.
> > Offline token is sent alone, no IDToken or refreshToken is sent together
> > with it.
> > Question: Should be offline tokens available just for
> > ResourceOwnerPasswordCredentials and ServiceAccounts or also for classic
> > web based authorization code flow?
> >
> > - There are methods on UserModel to track which offline tokens were
> > issued for particular user. Like:
> >
> > List<String> getOfflineTokens();
> > void addOfflineToken(String offlineToken);
> > void removeOfflineToken(String offlineToken);
> >
> > - Offline token will never expire. Or should we eventually add another
> > timeout for offline token (With some big default value like 1 month or so)?
> >
> > - Offline token is not refreshable.
> >
> > - Offline token can be validated by current OIDC endpoint for token
> > validation. Offline token is not valid if UserModel doesn't have token
> > anymore on it. But offline token is still valid even if corresponding
> > UserSession doesn't exist. So we can still have offline tokens valid for
> > 1 year even if SsoSessionMaxLifespan is just 10 hours.
> >
> > - Offline token can be logged out. Logout will remove offline token from
> > corresponding UserModel.
> >
> > - In Account management applications page can user see list of offline
> > tokens issued for individual clients and he can revoke them. Not sure if
> > put another "Revoke offline token" or use current "Revoke grant" action,
> > which will revoke both consents and offline tokens?
> >
> > - Admin can see the offline tokens for user in admin console and can
> > revoke them too . Current button "Logout All" in sessions tab will
> > revoke offline tokens from all users . For performance reasons, we may
> > need method on UserProvider, so it's possible to clean whole DB table
> > "OFFLINE_TOKEN" (similarly for mongo) instead of iterating through all
> > users.
> >
> > - For adapters, we should likely have an option, so the REST endpoint
> > adapter has possibility to validate offline token by always sending
> > validation request to KC server. We didn't need it for access tokens,
> > which are valid just for 1 minute or so, but offline tokens are long
> > lived so adapter should have this possibility IMO.
> - Actually, for the frontend adapters (both server and keycloak.js ) I
> am thinking about adding the persistent cookie, which will be put on the
> application after successful login and is valid for the same time like
> the offline token (so couple of months). When browser is opened next
> time, the adapter will find the cookie and send the validation request
> to KC to check if offline token is still valid. This will allow the
> browser application to be logged with the same offline token for couple
> of months.
> 
> I also wonder if we should put the IP address checking when validating
> offline token (Offline token is valid just if validation request come
> from same address like the original request) ?

JS adapters shouldn't use offline tokens. Offline tokens are to give servers permanent offline access to a users account. Only confidential clients should be able to use this.

> 
> Mare
> >
> > WDYT?
> >
> > Marek
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 