[keycloak-dev] we do not support offline tokens

Stian Thorgersen sthorger at redhat.com
Wed Mar 14 15:07:41 EDT 2018


I think the short tokens issued by the likes of OpenShift is primarily used
for authentication, not access. As such it's more a short ID token than an
actual access token.

I could see us doing something similar with allowing users to generate
these short tokens that can be used to authenticate and obtain
refresh/access tokens instead of using username/password.

On 14 March 2018 at 17:46, Pedro Igor Silva <psilva at redhat.com> wrote:

> I think facebook, kube and openshift have different requirements. They can
> use persistent tokens because they have complete control over their
> lifetime and they are targeted to be used within their environments.
>
> Facebook in particular acts as both AS and resource server.
>
> On Wed, Mar 14, 2018 at 1:02 PM, Bill Burke <bburke at redhat.com> wrote:
>
>> On Wed, Mar 14, 2018 at 10:55 AM, Schuster Sebastian (INST/ESY1)
>> <Sebastian.Schuster at bosch-si.com> wrote:
>> > I always thought an offline token is a long-living refresh token...
>> >
>> > Best regards,
>> > Sebastian
>> >
>>
>> Yes, that's how OIDC thinks of offline tokens and how we've
>> implemented it.  But facebook, kubernetes, openshift have the concept
>> of a persistent token that can be used in bearer requests.
>>
>> Bill
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>


More information about the keycloak-dev mailing list