<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:13px"><div id="yui_3_16_0_1_1440158526182_2913"><span id="yui_3_16_0_1_1440158526182_2998">Hi Marek - My two cents on this:</span></div><div id="yui_3_16_0_1_1440158526182_2913"><span><br></span></div><div id="yui_3_16_0_1_1440158526182_2913"><span id="yui_3_16_0_1_1440158526182_3071">1) Offline tokens can be long lived but must have a way of revoking them. If they are requested by users (see the openid connect spec below), the life should be of shorter duration (a week?) but if they are requested by clients then they can be of much longer duration (upto a year) but there should be a mechanism to refresh/revoke.</span></div><div id="yui_3_16_0_1_1440158526182_2913"><span><br></span></div><div id="yui_3_16_0_1_1440158526182_2913" dir="ltr"><span id="yui_3_16_0_1_1440158526182_2947"><a href="http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess" id="yui_3_16_0_1_1440158526182_2944">http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess</a><br></span></div><div id="yui_3_16_0_1_1440158526182_2913" dir="ltr"><br></div><div id="yui_3_16_0_1_1440158526182_2913" dir="ltr">Thanks,</div><div id="yui_3_16_0_1_1440158526182_2913" dir="ltr">Raghu</div><br> <div style="font-family: times new roman, new york, times, serif; font-size: 13px;" id="yui_3_16_0_1_1440158526182_2978"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_1_1440158526182_2977"> <div dir="ltr" id="yui_3_16_0_1_1440158526182_2976"> <hr size="1" id="yui_3_16_0_1_1440158526182_3038"> <font size="2" face="Arial" id="yui_3_16_0_1_1440158526182_2975"> <b><span style="font-weight:bold;">From:</span></b> Marek Posolda <mposolda@redhat.com><br> <b><span style="font-weight: bold;">To:</span></b> "keycloak-dev@lists.jboss.org" <keycloak-dev@lists.jboss.org> <br> <b><span style="font-weight: bold;">Sent:</span></b> Friday, August 21, 2015 7:30 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> [keycloak-dev] Offline tokens<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_1_1440158526182_2999"><br>Some thoughts around offline tokens impl:<br><br>- Client has switch "Allow offline tokens" . Offline token can be <br>requested just if the switch is enabled<br><br>- Offline token can be requested if parameter "scope=offline" is sent. <br>Offline token is sent alone, no IDToken or refreshToken is sent together <br>with it.<br>Question: Should be offline tokens available just for <br>ResourceOwnerPasswordCredentials and ServiceAccounts or also for classic <br>web based authorization code flow?<br><br>- There are methods on UserModel to track which offline tokens were <br>issued for particular user. Like:<br><br>List<String> getOfflineTokens();<br>void addOfflineToken(String offlineToken);<br>void removeOfflineToken(String offlineToken);<br><br>- Offline token will never expire. Or should we eventually add another <br>timeout for offline token (With some big default value like 1 month or so)?<br><br>- Offline token is not refreshable.<br><br>- Offline token can be validated by current OIDC endpoint for token <br>validation. Offline token is not valid if UserModel doesn't have token <br>anymore on it. But offline token is still valid even if corresponding <br>UserSession doesn't exist. So we can still have offline tokens valid for <br>1 year even if SsoSessionMaxLifespan is just 10 hours.<br><br>- Offline token can be logged out. Logout will remove offline token from <br>corresponding UserModel.<br><br>- In Account management applications page can user see list of offline <br>tokens issued for individual clients and he can revoke them. Not sure if <br>put another "Revoke offline token" or use current "Revoke grant" action, <br>which will revoke both consents and offline tokens?<br><br>- Admin can see the offline tokens for user in admin console and can <br>revoke them too . Current button "Logout All" in sessions tab will <br>revoke offline tokens from all users . For performance reasons, we may <br>need method on UserProvider, so it's possible to clean whole DB table <br>"OFFLINE_TOKEN" (similarly for mongo) instead of iterating through all <br>users.<br><br>- For adapters, we should likely have an option, so the REST endpoint <br>adapter has possibility to validate offline token by always sending <br>validation request to KC server. We didn't need it for access tokens, <br>which are valid just for 1 minute or so, but offline tokens are long <br>lived so adapter should have this possibility IMO.<br><br>WDYT?<br><br>Marek<br>_______________________________________________<br>keycloak-dev mailing list<br><a ymailto="mailto:keycloak-dev@lists.jboss.org" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br><a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br><br><br></div> </div> </div> </div></body></html>