[keycloak-dev] Offline tokens - step 1

Marek Posolda mposolda at redhat.com
Mon Sep 21 08:27:47 EDT 2015 

On 21/09/15 12:28, pslegr wrote:
>
>
> On 21.9.2015 12:06, Marek Posolda wrote:
>> I've sent the PR . Right now it works like this:
>>
>> - ClientModel has flag "offlineTokensEnabled" . It's possible to
>> retrieve offline tokens just if flag is enabled
>>
>> - Offline token is classic refresh token with 2 differences. It has type
>> "OFFLINE" when normal refresh token has type "REFRESH" . And for offline
>> token, the expiration value is 0, so it never expires.
> Just an idea.
> Have you ever thought, in terms of expiration, not only
> about refresh vs. never expires
> BUT also about defining the exact time of expiration ?
> for example validity for 1 Month, 1 year, 3 years ... etc.
> This would offer the possibility on the fly generate the so called; 
> "offline license tokens", which are
> then used for different lifetime periods.
> IMHO this might extend the usage for Keycloak into the license 
> providers field ;)
We have already some support for required action "Terms & Condition" at 
the keycloak server level. AFAIK user needs to confirm "Terms & 
Conditions" page when he has that required action set on him. You have 
also possibility to customize the content of the page.

  I wonder if this required action can be used for time based licences 
as well? Like for example you will have possibility to configure that 
validity of licence is 1 year, so after 1 year will be required action 
added to user automatically and he will need to confirm it again during 
login?

The possibility you mentioned is about handling licence agreement at the 
client level by the application itself if I understand correctly? So 
application will save offline token and the token is valid for 3 years, 
so application will display the licence screen when it notifies that 
offline token is expired. Am I understand correctly?

IMO extend the current Terms & Conditions action for expiration after 
some time looks better to me, as you won't need to do any more coding in 
your application. Just set the timeout for Terms&Conditions (or licence 
) action at keycloak admin console.

Marek
>>
>> - Offline token is generated by auth-server when client sends
>> "scope=offline_access" . It's supported for classic browser flow, but
>> also for Direct Grant flow or Service account flow.
>>
>> - I've added OfflineClientSessionModel and OfflineUserSessionModel with
>> CRUD methods on UserModel. So when new offline token is generated by
>> Keycloak, some info about current UserSession and ClientSession is
>> persisted on UserModel. This means that offline token can be used to
>> create new access token even if "normal" UserSession and ClientSession
>> are already invalid or logged out.
>>
>> - When refreshing access token with offline token, the auth-server won't
>> send back another refresh token. It will send just accessToken +
>> IDToken. This is to avoid writes to user database for each token 
>> refresh.
>>
>> - In account management applications tab, there is new table column
>> "Additional grants" where is shown if client has offline token for user.
>> The click on "Revoke" button will remove offline tokens and granted
>> consents as well - no separate actions for revoke consents and offline
>> tokens.
>>
>>
>> Still TODO:
>> - Properly handle consents (see "Questions" below)
>>
>> - More tests, example, export/import , docs
>>
>> - More things/refactoring based on your feedback
>>
>>
>> Questions:
>> - The specs mentions that consent should be displayed when offline token
>> is requested. See
>> http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess .
>> Right now, I am not doing that. So when Client has "isConsentRequired"
>> as false, the consent screen is not displayed. Now we also don't have
>> support for "prompt=consent" (not sure if we need this) . Is it ok to
>> keep it like this?
>>
>> - I am thinking about adding new builtin client role "offline_access",
>> which will be created for client when admin enables "offline tokens"
>> switch. It will be used also as default role. This will allow that just
>> some users are allowed to obtain offline-token (those which have this
>> role). The role will be also displayed on consent screen for the
>> clients, which needs consent.
>> But that raises another question. IMO it will be good if role is
>> requested and displayed on consent screen just if offline token is
>> requested, but not when classic refresh token is requested.
>>
>> Hence I was thinking about adding the flag "scopeParamMode" to
>> RoleModel. The value true means that role will be requested and used in
>> accessToken/refreshToken just if scope parameter contains it's value.
>> This will be the setup for "offline_access" role, so it's used just for
>> the offline token requests. Another thing is format of scope parameter
>> with respect to realm roles and application roles. We can use "//" as
>> delimiter, so realm role will have just "my-role" but client role will
>> have "my-client//my-role" . The disadvantage is that for requesting
>> offline_access you will then need to use scope like:
>> "scope=customer-portal//offline_access" as it's client role.
>>
>> WDYT? Any better idea?
>>
>> Marek
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list