[keycloak-user] always-refresh-token and admin rest api

Marek Posolda mposolda at redhat.com
Fri Apr 17 11:48:47 EDT 2015 

On 17.4.2015 13:30, Benjamin Hansmann [alphaApps] wrote:
> Greetings. Following up my post from yesterday I have more specific
> questions.
>
> I plan to use keycloak with my REST service for mobile apps as follows:
>
> Option A:
> 1 A user sends a REST registration request to my webapp and the webapp
> adapts the request to the local keycloak admin rest api.
> 2 When the user is created he can then authenticate to keycloak via the
> direct access grant rest api and receives an access token.
> 3 The issued access token should be valid for only one request, thus I
> specified the option "always-refresh-token": true in my webapp's
> keycloak.json file.
>
> Option B:
> 1 Mobile app forms the HTTP POST request to the user registration page.
> 2 and 3 as in Option A
>
> Option C:
> 1 Use a user federation provider and create users in my webapp's
> datasource.
> 2 and 3 as in Option A
>
> Question regarding all options:
> How is the "always-refresh-token" option supposed to work? I supplied
> the option as stated above but I am still able to reuse access tokens
> that were issued from the direct access grant service. Another question
> is how this token refreshing should be implemented on the client side.
> Do I have to invoke on the direct access grant api to obtain a new token
> for every request or can the issued "refresh_token" be used on
> subsequent requests and a new refresh token is somehow included in the
> response of my service?
This option is used for servlet adapters. Each HTTP request to the 
servlet frontend application (For example "customer-portal" or 
"product-portal" from our demo) will perform sending back-channel 
request to the Keycloak auth-server and will refresh the token. You can 
try change our demo and add the option for example to the 
customer-portal keycloak.json: 
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/webapp/WEB-INF/keycloak.json 
and then check in the application that accessToken is different in each 
request: 
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L56 
.

This option has no effect for bearer-only applications as those are 
authenticated by accessToken sent from different application and they 
don't support any token refreshing at all. It also doesn't have any 
effect for direct grant API (we don't have any adapter for direct grant 
API. People are expected to invoke the HTTP request to retrieve 
accessToken from auth-server with direct grant API by themselves as 
shown in the documentation or in the admin-access-app example)

Marek
>
> Question regarding option C:
> When creating users in my own database which serves as a federation
> provider I loose some keycloak functionality like Email verification and
> so on, right?
>
> I am also not sure which option to use. What would you suggest.
>
> Feature request:
> It would be great to have a keycloak REST API for registration and user
> self-service in order to fulfill the demands of mobile applications.
>
> Best regards,
> Benjamin

More information about the keycloak-user mailing list