[keycloak-user] Token refresh from Android native app

Sun Nov 2 17:30:25 EST 2014

On 02 Nov 2014, at 23:10, Frank French <Frank.French at causeway.com> wrote:

> 
> I’m currently using the browser to initially log in to my app. After the user credentials have been validated I intercept the url containing the code and use that on the resource /realms/myrealm/tokens/access/codes. To convert the code into a token. I am then able to use the embedded access token for subsequent API calls. This works fine until the access token expires. 
> 
> When the access token expires the service returns a 401. At present the only way I can get past this is to redirect the user back to the login page and start the above process again (creates another session). I would only expect to have to do this if the SSO idle timeout and been reached (it hasn’t). I’ve looked through the API docs and found the resource /realms/myrealm/token/refresh. I’ve tried using this resource but have failed miserably. Could someone please explain  how to use this resource or point me somewhere else if I’ve got it completely wrong. 
> 

Access token expires. There is another way to track expiration (rather than the 401) thanks to the expiration date provided when the access token is delivered. Checking if the token is expired:
See:
https://github.com/aerogear/aerogear-android-authz/blob/master/aerogear-android-authz%2Fsrc%2Fmain%2Fjava%2Forg%2Fjboss%2Faerogear%2Fandroid%2Fimpl%2Fauthz%2Foauth2%2FOAuth2AuthzService.java#L86

Be aware that keycloak implements renewal of refresh tokens: every time you renew an access token, you get a new refresh token to update.
Besides, in Keycloak, refresh token also expires. In the case of expired refresh token, the only way forward will be to ask for grant again.

Here is an example on how to issue the request on android:
https://github.com/aerogear/aerogear-android-authz/blob/master/aerogear-android-authz%2Fsrc%2Fmain%2Fjava%2Forg%2Fjboss%2Faerogear%2Fandroid%2Fimpl%2Fauthz%2Foauth2%2FOAuth2AuthzService.java#L214
I think you should go without adding it to header. Be cautious about the query param formatting.

++
Corinne
—————
iOS dev

> Example code below. 
> 
> private JWSToken refreshToken(String accessToken, String refreshToken) throws IOException, InvalidTokenException{
>       JWSToken token = null;
>       
>       String url = "http://127.0.0.1:8080/auth/realms/myrealm/tokens/refresh";
>       //String query = “refresh_token=“ + refreshToken; 
>       //String query = “refresh_token=“ + refreshToken + “client_id=" + CLIENT_ID";
>       String query = "refresh_token=" + refreshToken + "client_id=" + CLIENT_ID + "grant_type=refresh_token";
>       //Tried all the above
> 
>       HttpPost httppost = new HttpPost(url);
>       httppost.addHeader(“Authorization”, “Bearer “ + accessToken); //401 with 400 without
>       httppost.addHeader("Content-Type", "application/x-www-form-urlencoded");
>       
>       ByteArrayEntity entity = new ByteArrayEntity(query.getBytes());
>       httppost.setEntity(entity);
>       HttpResponse response = httpclient.execute(httppost);
> 
>       int status = response.getStatusLine().getStatusCode();
> 
>       if (status == HttpStatus.SC_OK){
>          InputStream stream = null;
> 
>          try{
>             stream = response.getEntity().getContent();
> 
>             ObjectMapper mapper = new ObjectMapper();
>             token = mapper.readValue(stream, JWSToken.class);
>          }finally{
>             if (stream != null){
>                stream.close();
>             }
>          }
>       }else{
>          throw new InvalidTokenException();
>       }
>       
>       return token;
>    }
> 
> 
> 
> 
> Causeway is committed towards reducing its carbon footprint. Please consider the environment before printing this email.
> 
> 
> 
> Disclaimer Notice :-
> 
> The message and any attachments contained in this e-mail are intended for the named recipient(s) only. It may contain privileged or confidential information or information which is exempt from disclosure under the applicable laws. If you are not the intended recipient(s), you must not read, print, retain, copy distribute, forward or take any or refrain from taking any action in reliance on it or any of its attachments. If you have received or have been forwarded this e-mail in error, please notify us immediately by return e-mail or telephone (+44 (0)1628 552000) and delete this message from the computer or any other data-reading device in its entirety.
> 
> Please advise us immediately if you do not or your employer does not consent to Internet e-mail for messages of this nature.
> 
> Internet communications cannot be guaranteed to be secure and error-free as the information could be intercepted, corrupted, lost, arrive late or contain viruses. The sender and this Company therefore do not and shall not accept any liability or responsibility of whatsoever nature in the context of this message and its attachment(s) which arises as a result of Internet transmission. Opinions, conclusion, representations, views and such other information in this message that do not relate to the official business of this Company shall be understood as neither given nor endorsed by it.
> 
> Registered Office: Comino House, Furlong Road, Bourne End, Buckinghamshire, SL8 5AQ
> Registered in England No: 3921897 www.causeway.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20141102/50771644/attachment-0001.bin 