[keycloak-dev] apps access to and refresh of facebook tokens

Bill Burke bburke at redhat.com
Wed Mar 4 09:11:26 EST 2015 


On 3/4/2015 3:18 AM, Stian Thorgersen wrote:
>> It should work fine if we need to support just refreshing by backend
>> requests. If we also need to support redirecting, it could be more
>> tricky as we would need to pass servletResponse to the method somehow as
>> well...
>
> -1 To refreshing by redirect
>

I think you're missing a lot of how external tokens will be used and 
what environments they will be deployed into.  Futhermore I think your 
refresh and token embedding concerns are either overblown, non-existent, 
add extra complexity to the user, or hurt performance for common setups. 
  Finally, automatic refreshing needs to happen in order for logout to 
work propoerly.

* Facebook tokens can only be refreshed by redirect.
* REST services will not be able to refresh Facebook tokens because of 
the redirect requirement
* Facebook short-lived tokens last for hours.  Long-lived tokens last 
for 60 days.
* Twitter tokens don't expire.
* OIDC does not have a Single Logout Service like SAML does.  This means 
that the only way to determine if a parent OIDC Broker has logged out 
the user is to try and refresh the token.
* REST services should not have to hit the auth-server for *EVERY REQUEST*.
* clients should not have to manage external tokens, unless of course 
they want to.  Consider a pure OAuth example where you have a OAuth 
client that doesn't know anything about the access token format.  This 
OAuth client is talking to a REST service.  Your proposed default set up 
requires the REST service to hit the auth server every single request.
* Keycloak controlled external tokens can be refreshed automatically 
without network calls.

I guess we need the token exchange service, but such a service is 
something that will only be needed in rare cases otherwise.  Letting 
Keycloak handle external tokens automatically reduces code the user has 
to write and takes request load off of the Keycloak auth server.

Your concern that refreshing tokens automatically will hurt performance 
is just bogus.  Automatic token refresh can't even be done with 
Facebook.  You don't even need token refresh for Facebook because 
long-lived tokens last 60 days.  Refresh isn't even needed for Twitter 
as their tokens last forever.  OIDC brokered tokens need to have refresh 
called to determine if the session has been logged out from the parent 
broker.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list