<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 07/06/16 14:26, Jorge M. wrote:<br>
</div>
<blockquote
cite="mid:CAHEpHRLPmsXeyed_nJASfijaLr11__WwTc91HioDoESddmPHWA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>That sounds good. Should I create a Jira ticket for this
one?<br>
</div>
</div>
</div>
</blockquote>
Yes<br>
<blockquote
cite="mid:CAHEpHRLPmsXeyed_nJASfijaLr11__WwTc91HioDoESddmPHWA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div><br>
</div>
<div>By the way... We are planning to use offline tokens on
native mobile client apps. Basically the apps only use KC
for authentication (using aerogear oauth2). Do you think
that a regular access_token is more suitable for this
scenario, rather than the offline token?<br>
</div>
</div>
</div>
</blockquote>
Depends on the use-case. Access token is always valid just for few
minutes and can be used to invoke 3rd party REST services. When
offline token is just special type of refresh token. It can be used
just for refreshing and retrieve new accessTokens, but it can't be
used to invoke 3rd party REST services. Only difference between
offline token and refresh token is, that offline token is long-lived
and valid for days or weeks. So once you authenticate to Keycloak
and you have offlineToken, you can use this offlineToken after a
very long time to "refresh" and retrieve new accessToken and then
use this retrieved accessToken to invoke 3rd party REST endpoints.<br>
<br>
Marek<br>
<blockquote
cite="mid:CAHEpHRLPmsXeyed_nJASfijaLr11__WwTc91HioDoESddmPHWA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div><br>
</div>
Thanks,<br>
</div>
JM<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-06-07 8:34 GMT+01:00 Stian
Thorgersen <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">In that case +1 to support offline tokens.</div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 7 June 2016 at 09:29,
Marek Posolda <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mposolda@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:mposolda@redhat.com">mposolda@redhat.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>The introspection specs has some support
for refresh tokens and our impl supports it
too. You can even provide "token_type_hint"
parameter and use either the value
"access_token" or "refresh_token" . <br>
<br>
The offline token is not directly supported,
but I am personally not seeing an issue for us
to be a bit more "clever" and lookup offline
sessions instead of online sessions in case
that type of provided token is offline token?<span><font
color="#888888"><br>
<br>
Marek</font></span>
<div>
<div><br>
<br>
On 07/06/16 09:17, Stian Thorgersen wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote type="cite">
<div dir="ltr">The token introspection
endpoint is for access tokens though,
not refresh tokens and offline tokens.
You should introspect an access token
retrieved using the offline token, not
the offline token itself.</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 7 June 2016
at 08:35, Marek Posolda <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mposolda@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:mposolda@redhat.com">mposolda@redhat.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000">
<div>Hi,<br>
<br>
it seems that oauth2 token
introspection specs doesn't have
any direct support for OIDC
offline tokens. However you can
possibly create JIRA for it.
Currently it seems we consider
token as valid just if there is
"online" valid userSession. In
case of offlineToken, it should
check "offline" session instead.
<br>
<br>
Marek
<div>
<div><br>
<br>
On 06/06/16 19:12, Jorge M.
wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">
<div>Hi,<br>
<br>
I'm using the oauth2
token introspection
feature in order to
validate and get info
about tokens, however
I'm not being able to
get info of
offline_tokens. Is that
possible? Or does it
make sense?<br>
<br>
Thank you,<br>
</div>
JM<br>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
keycloak-dev mailing list
<a moz-do-not-send="true" href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</div>
<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org"
target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>