[keycloak-dev] offline access tokens part 2

Marek Posolda mposolda at redhat.com
Tue Mar 27 02:53:55 EDT 2018


Dne 27.3.2018 v 04:41 Bill Burke napsal(a):
> These are my thoughts for implementing offline access tokens:
>
> * offline access tokens MUST be validated.  This means that if they
> are used during bearer token requests, the service must validate the
> token with the token endpoint.
> * These tokens MUST be rejected by older keycloak clients as our
> adapters dont' have support for them.
> * offline access tokens will not be stored in the database.  Instead
> they will be JWEs or JWS that link to an offline user session. (our
> current offline access implementation).  They will be revokable just
> like any other offline session and in the same manner.  This makes the
> implementation simple.
>
> * There will be 4 modes for configuring clients
> - client automatically receives offline access tokens (maybe not
> include a refresh token in this case)
> - client may request an offline access token
> - client requires consent before providing an offline access token
> - client is not allowed to ask for offline access tokens (default)
>
> Any other thoughts on this?
How will client tells that it wants this offline token? Will it be some 
special value of scope parameter like "scope=persistent_token" ?

I can imagine that issuing this token will be handled by protocol 
mapper? Some protocolMapper implementation, which will change token 
expiration to 0 (which means infinity) and change token type to 
something like "persistent" ?

Once we have clientScopes in, it will be easily possible to ensure that 
this protocolMapper is used just if "persistent_token" scope is used as 
protocolMapper will be just configured on "persistent_token" client 
scope. However the clientScopes PR will likely need to wait for few 
weeks or so...

Marek
>
> Maybe this should be implemented in conjunction with a reference token
> feature too?
>



More information about the keycloak-dev mailing list