[keycloak-dev] we do not support offline tokens

Stian Thorgersen sthorger at redhat.com
Wed Mar 14 08:51:04 EDT 2018


An offline token would just be an access token with a long expiration time
right?

Isn't that a bit tricky from a security perspective and also from the fact
that you can't really invalidate the token? So all services would need to
check the token with the token introspection endpoint.

Could we fill the same use-case with some sort of reference token instead?
A short UUID that can be exchanged for a token using the token exchange
service perhaps?

On 13 March 2018 at 22:15, Bill Burke <bburke at redhat.com> wrote:

> Correct me if I'm wrong, but we don't support the concept of an
> offline token right?  Just an offline refresh token?
>
> Probably something we will have to support as Kubernetes, Openshift,
> and many of the social providers have a similar concept of a permanent
> persisted access token.
>
> --
> Bill Burke
> Red Hat
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


More information about the keycloak-dev mailing list