[keycloak-dev] Offline tokens

Marek Posolda mposolda at redhat.com
Mon Aug 31 09:34:28 EDT 2015 

On 31/08/15 15:17, Stian Thorgersen wrote:
>
> ----- Original Message -----
>> From: "Marek Posolda" <mposolda at redhat.com>
>> To: "Bill Burke" <bburke at redhat.com>, keycloak-dev at lists.jboss.org
>> Sent: Monday, 31 August, 2015 3:06:48 PM
>> Subject: Re: [keycloak-dev] Offline tokens
>>
>> Actually KEYCLOAK_IDENTITY cookie is persistent just for the configured
>> idle timeout (like 30 minutes). But for the offline token, I imagine we
>> want to support the scenario when user authenticates to his application
>> after a week of inactivity or so.
> You sure - is it not the SSO max lifespan?
You're right. I failed to read the code, 1st day after pto ;-)
>
>> Here I meant the cookie will be on the application side, not on the KC
>> side. When user opens his browser and goes to
>> http://localhost:8080/customer-portal , the application (adapter) side
>> will read the offline token from the persistent cookie and then login
>> user based on that.
> The offline token is for a background process or server, so there shouldn't be a persistent cookie. A example flow for a backup application could be:
>
> 1. User logs in to backup application
> 2. App redirects to KC login with scope=offline
> 3. Backup application stores the offline token in a database
> 4. Users logs out of KC SSO
> 5. Backup application now wants to execute a backup, it will then retrieve the offline token from the database, send it to Keycloak to obtain an access token, then invoke the data service
> 6. Users opens backup application again and clicks login
> 7. User is again presented with login screen (as the user isn't logged-in, even though the backup application has offline access)
> 8. User is now logged-in to backup application and can change settings
Ah, ok. So SSO logout won't automatically invalidate offline token. User 
would need to do it in account management.

Marek
>
>> Marek
>>
>>
>> On 21/08/15 14:50, Bill Burke wrote:
>>> On 8/21/2015 8:09 AM, Marek Posolda wrote:
>>>> - Actually, for the frontend adapters (both server and keycloak.js ) I
>>>> am thinking about adding the persistent cookie, which will be put on the
>>>> application after successful login and is valid for the same time like
>>>> the offline token (so couple of months). When browser is opened next
>>>> time, the adapter will find the cookie and send the validation request
>>>> to KC to check if offline token is still valid. This will allow the
>>>> browser application to be logged with the same offline token for couple
>>>> of months.
>>>>
>>> I don't understand why you need an offline token for browser
>>> applications.  We already support persistent cookies.
>>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>

More information about the keycloak-dev mailing list