[keycloak-dev] Offline tokens

Stian Thorgersen stian at redhat.com
Mon Aug 31 09:17:26 EDT 2015 


----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Bill Burke" <bburke at redhat.com>, keycloak-dev at lists.jboss.org
> Sent: Monday, 31 August, 2015 3:06:48 PM
> Subject: Re: [keycloak-dev] Offline tokens
> 
> Actually KEYCLOAK_IDENTITY cookie is persistent just for the configured
> idle timeout (like 30 minutes). But for the offline token, I imagine we
> want to support the scenario when user authenticates to his application
> after a week of inactivity or so.

You sure - is it not the SSO max lifespan?

> 
> Here I meant the cookie will be on the application side, not on the KC
> side. When user opens his browser and goes to
> http://localhost:8080/customer-portal , the application (adapter) side
> will read the offline token from the persistent cookie and then login
> user based on that.

The offline token is for a background process or server, so there shouldn't be a persistent cookie. A example flow for a backup application could be:

1. User logs in to backup application
2. App redirects to KC login with scope=offline
3. Backup application stores the offline token in a database
4. Users logs out of KC SSO
5. Backup application now wants to execute a backup, it will then retrieve the offline token from the database, send it to Keycloak to obtain an access token, then invoke the data service
6. Users opens backup application again and clicks login
7. User is again presented with login screen (as the user isn't logged-in, even though the backup application has offline access)
8. User is now logged-in to backup application and can change settings

> 
> Marek
> 
> 
> On 21/08/15 14:50, Bill Burke wrote:
> >
> > On 8/21/2015 8:09 AM, Marek Posolda wrote:
> >> - Actually, for the frontend adapters (both server and keycloak.js ) I
> >> am thinking about adding the persistent cookie, which will be put on the
> >> application after successful login and is valid for the same time like
> >> the offline token (so couple of months). When browser is opened next
> >> time, the adapter will find the cookie and send the validation request
> >> to KC to check if offline token is still valid. This will allow the
> >> browser application to be logged with the same offline token for couple
> >> of months.
> >>
> > I don't understand why you need an offline token for browser
> > applications.  We already support persistent cookies.
> >
> 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list