[keycloak-dev] offline access tokens part 2

Bill Burke bburke at redhat.com
Mon Mar 26 22:41:46 EDT 2018


These are my thoughts for implementing offline access tokens:

* offline access tokens MUST be validated.  This means that if they
are used during bearer token requests, the service must validate the
token with the token endpoint.
* These tokens MUST be rejected by older keycloak clients as our
adapters dont' have support for them.
* offline access tokens will not be stored in the database.  Instead
they will be JWEs or JWS that link to an offline user session. (our
current offline access implementation).  They will be revokable just
like any other offline session and in the same manner.  This makes the
implementation simple.

* There will be 4 modes for configuring clients
- client automatically receives offline access tokens (maybe not
include a refresh token in this case)
- client may request an offline access token
- client requires consent before providing an offline access token
- client is not allowed to ask for offline access tokens (default)

Any other thoughts on this?

Maybe this should be implemented in conjunction with a reference token
feature too?

-- 
Bill Burke
Red Hat


More information about the keycloak-dev mailing list