[keycloak-dev] Shouldn't external token by stored in UserSession?
Bill Burke
bburke at redhat.com
Tue Mar 24 08:29:33 EDT 2015
What I'm saying is that for non-social brokering, any stored token is
invalid after logout. The app will obtain the external token via its ID
or access token, or it will have to go to a token exchange service,
which, itself is access token secured.
storing an external token each login requires a write to the user database.
On 3/24/2015 8:24 AM, Bill Burke wrote:
> Still doesn't require that the tokens be stored.
>
> On 3/24/2015 1:33 AM, Stian Thorgersen wrote:
>> It's not always specific to a UserSession. The tokens obtained from a provider may be offline tokens to provide permanent access. For example if an application wants permanent access to Google and Facebook those providers can be configured with the offline scope, which would provide access even if the user didn't log-in the current session with either of those providers.
>>
>> A logged in user could have one token that's used to login a specific session, but also a number of other tokens that have not been used to login the specific session, but that has been used in the past, or was used when setting up the link initially.
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke at redhat.com>
>>> To: keycloak-dev at lists.jboss.org
>>> Sent: Monday, 23 March, 2015 3:10:56 PM
>>> Subject: [keycloak-dev] Shouldn't external token by stored in UserSession?
>>>
>>> Why is the external token stored in actual user storage
>>> (FederatedIdentityModel). The token is really something specific to the
>>> UserSession and belongs there.
>>>
>>> Also, there may not be one single item for "external token". For
>>> example, OIDC has both an IDToken and access token. The IDToken is
>>> actually used to perform a logout according to the OIDC logout profile.
>>>
>>> Right now, our code is storing the AccessTokenResponse for OIDC, and the
>>> entire login response for SAML.
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list