[keycloak-dev] Offline tokens - step 1
Bill Burke
bburke at redhat.com
Mon Sep 21 08:43:59 EDT 2015
On 9/21/2015 6:06 AM, Marek Posolda wrote:
> I've sent the PR . Right now it works like this:
>
> - ClientModel has flag "offlineTokensEnabled" . It's possible to
> retrieve offline tokens just if flag is enabled
>
> - Offline token is classic refresh token with 2 differences. It has type
> "OFFLINE" when normal refresh token has type "REFRESH" . And for offline
> token, the expiration value is 0, so it never expires.
>
> - Offline token is generated by auth-server when client sends
> "scope=offline_access" . It's supported for classic browser flow, but
> also for Direct Grant flow or Service account flow.
>
> - I've added OfflineClientSessionModel and OfflineUserSessionModel with
> CRUD methods on UserModel. So when new offline token is generated by
> Keycloak, some info about current UserSession and ClientSession is
> persisted on UserModel. This means that offline token can be used to
> create new access token even if "normal" UserSession and ClientSession
> are already invalid or logged out.
>
You have to move this out of UserModel. UserModel may be backed 99% by
a UserFederationProvider. In the near future, UserFederationProvider
users may all sit in memory for only the lifetime of the session.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list