[keycloak-dev] we do not support offline tokens

Schuster Sebastian (INST/ESY1) Sebastian.Schuster at bosch-si.com
Wed Mar 14 12:22:45 EDT 2018


But that only really makes sense for reference tokens where you need some kind of reference resolution/introspection anyways because otherwise you miss a mechanism to revoke access, right?
Having to introspect a JWT every time it is used for access kind of defeats the purpose of having a self-contained token in the first place...

Best regards,
Sebastian

Mit freundlichen Grüßen / Best regards

Dr.-Ing.  Sebastian Schuster

Engineering and Support (INST/ESY1) 
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B 
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn 




-----Original Message-----
From: Bill Burke [mailto:bburke at redhat.com] 
Sent: Mittwoch, 14. März 2018 17:02
To: Schuster Sebastian (INST/ESY1) <Sebastian.Schuster at bosch-si.com>
Cc: Stian Thorgersen <stian at redhat.com>; keycloak-dev <keycloak-dev at lists.jboss.org>
Subject: Re: [keycloak-dev] we do not support offline tokens

On Wed, Mar 14, 2018 at 10:55 AM, Schuster Sebastian (INST/ESY1) <Sebastian.Schuster at bosch-si.com> wrote:
> I always thought an offline token is a long-living refresh token...
>
> Best regards,
> Sebastian
>

Yes, that's how OIDC thinks of offline tokens and how we've implemented it.  But facebook, kubernetes, openshift have the concept of a persistent token that can be used in bearer requests.

Bill



More information about the keycloak-dev mailing list