<div dir="ltr"><div><div>That sounds good. Should I create a Jira ticket for this one?<br><br></div><div>By the way... We are planning to use offline tokens on native mobile client apps. Basically the apps only use KC for authentication (using aerogear oauth2). Do you think that a regular access_token is more suitable for this scenario, rather than the offline token?<br></div><div><br></div>Thanks,<br></div>JM<br></div><div class="gmail_extra"><br><div class="gmail_quote">2016-06-07 8:34 GMT+01:00 Stian Thorgersen <span dir="ltr">&lt;<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>&gt;</span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">In that case +1 to support offline tokens.</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On 7 June 2016 at 09:29, Marek Posolda <span dir="ltr">&lt;<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <div>The introspection specs has some
      support for refresh tokens and our impl supports it too. You can
      even provide
      
      &quot;token_type_hint&quot; parameter and use either the value
      &quot;access_token&quot; or &quot;refresh_token&quot; . <br>
      <br>
      The offline token is not directly supported, but I am personally
      not seeing an issue for us to be a bit more &quot;clever&quot; and lookup
      offline sessions instead of online sessions in case that type of
      provided token is offline token?<span><font color="#888888"><br>
      <br>
      Marek</font></span><div><div><br>
      <br>
      On 07/06/16 09:17, Stian Thorgersen wrote:<br>
    </div></div></div><div><div>
    <blockquote type="cite">
      <div dir="ltr">The token introspection endpoint is for access
        tokens though, not refresh tokens and offline tokens. You should
        introspect an access token retrieved using the offline token,
        not the offline token itself.</div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On 7 June 2016 at 08:35, Marek Posolda
          <span dir="ltr">&lt;<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000">
              <div>Hi,<br>
                <br>
                it seems that oauth2 token introspection specs doesn&#39;t
                have any direct support for OIDC offline tokens. However
                you can possibly create JIRA for it. Currently it seems
                we consider token as valid just if there is &quot;online&quot;
                valid userSession. In case of offlineToken, it should
                check &quot;offline&quot; session instead. <br>
                <br>
                Marek
                <div>
                  <div><br>
                    <br>
                    On 06/06/16 19:12, Jorge M. wrote:<br>
                  </div>
                </div>
              </div>
              <blockquote type="cite">
                <div>
                  <div>
                    <div dir="ltr">
                      <div>Hi,<br>
                        <br>
                        I&#39;m using the oauth2 token introspection feature
                        in order to validate and get info about tokens,
                        however I&#39;m not being able to get info of
                        offline_tokens. Is that possible? Or does it
                        make sense?<br>
                        <br>
                        Thank you,<br>
                      </div>
                      JM<br>
                    </div>
                    <br>
                    <fieldset></fieldset>
                    <br>
                  </div>
                </div>
                <pre>_______________________________________________
keycloak-dev mailing list
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
              </blockquote>
              <br>
            </div>
            <br>
            _______________________________________________<br>
            keycloak-dev mailing list<br>
            <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
            <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </div></div></div>

</blockquote></div><br></div>
</div></div></blockquote></div><br></div>