[keycloak-dev] offline access permission incorrect?

Marek Posolda mposolda at redhat.com
Wed Apr 4 08:12:12 EDT 2018


Yes, but users can be theoretically aware of it and manually add 
"scope=offline_access" to the URL and have the offline token 
successfully issued. Our public clients are allowed to request offline 
tokens, so user will have offline token as well and use it anytime later 
without require other re-authentication. But I am not sure if it's real 
concern or not...

I agree we can remove this. We can see if people claim that they want to add it back...


Marek

Dne 4.4.2018 v 14:00 Bill Burke napsal(a):
> Users don't request offline access.  Applications do.  Users will not
> even know about OIDC, Oauth, offline access etc...
>
> On Wed, Apr 4, 2018 at 7:48 AM, Marek Posolda <mposolda at redhat.com> wrote:
>> I was thinking that people may have usecase, when they don't want all users
>> to allow automatically ask for offline tokens? Currently offline_access is
>> realm default role, so all users are automatically allowed to "request"
>> offline tokens. But was thinking that someone may want also the opposite
>> use-case. For example allow just admin user to request offline tokens, but
>> ensure that other users are not allowed to request it.
>>
>> If you think, we can remove this capability. We can see if people claims
>> that they want to add it back :) Nobody specifically requested that
>> capability as it's there since the beginning of the offline tokens support.
>>
>> In clientScope PR, there is "offline_access" client scope, but
>> "offline_access" realm role is also still there and it's assigned as "role
>> scope mapping" to the offline_access clientScope. So clientScope PR still
>> requires users to be in "offline_access" role. If you want to change the
>> behaviour, it will be nice to do that after clientScope PR is merged,
>> however if it blocks you, it's likely fine to do it now. The clientScope PR
>> will then need to be updated later as there would be some conflicts...
>>
>> Marek
>>
>>
>> Dne 3.4.2018 v 11:21 Stian Thorgersen napsal(a):
>>
>>> +1
>>>
>>> On 3 April 2018 at 00:16, Bill Burke <bburke at redhat.com> wrote:
>>>
>>>> To enable offline access the user must have the offline access role
>>>> and the client must have that role in its scope...
>>>>
>>>> This just doesn't seem right to me.  IMO, this shouldn't be something
>>>> you assign permission to a user.  Its solely a client permission and
>>>> should not be something role-based.  Instead the client should be
>>>> marked as allowing to ask for offline access and whether or not the
>>>> client must ask consent for this.
>>>>
>>>> --
>>>> Bill Burke
>>>> Red Hat
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>
>



More information about the keycloak-dev mailing list