[keycloak-user] Generate offline token

Marek Posolda mposolda at redhat.com
Tue Nov 3 03:06:45 EST 2015 

On 02/11/15 22:40, Pål Orby wrote:
> It's not an option to create a client for each customer. Currently we 
> have 65 000 customers, and we do not care if they use our API or using 
> us within their browser.
>
> We want to just generate an offline token for a given user? Can 
> someone please tell me how to do it. I've read the documentation, but 
> it not clear for me how to obtain an offline token 
> (http://keycloak.github.io/docs/userguide/keycloak-server/html/timeouts.html#offline-access).
Not sure I understand all the details for your usecase. But the usecase 
like "give me an offline token for this user for this app" can be done 
with usage of direct grant. See here the docs for direct grant 
http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html 
. If you want to retrieve offline token through direct grant, you just 
need to add the parameter "scope=offline_access" to the body of POST 
methods. So instead of just:

username=bburke&password=geheim&grant_type=password

you will use:

username=bburke&password=geheim&grant_type=password&scope=offline_access


But note, that offline token is not a permanent token, which can be 
unlimitedly used for authentication against REST backend services. 
Offline token is just special kind of refresh token, which never 
expires. You can use offline token to "refresh" and retrieve the access 
token, which can itself be used for authentication against REST backend 
services. But the access token has limited lifetime (usually 1 minute). 
So typically once you retrieve offline token, you need to save it in the 
database and always when you need to send request to REST backend, you 
use offline token to retrieve access token and then use this access 
token to send REST request. I suggest to take a look at 
offline_access_app example in the demo.

Marek
>
> Thanks in advance :-)
>
> /Pål
>
> *Pål Orby*
> UNIT4 Agresso AS*
> *Programvareingeniør
> Tlf: 22 58 85 00
> Mobil: 900 91 705
>
> SendRegning - Gjør det enkelt!
> http://www.sendregning.no
> http://facebook.com/sendregning
> http://twitter.com/sendregning
> http://faktura.no
>
> 2015-11-02 12:06 GMT+01:00 Stian Thorgersen <sthorger at redhat.com 
> <mailto:sthorger at redhat.com>>:
>
>     I would create a client for each customer. Enable the service
>     account feature to map roles to the client. Then customers can
>     authenticate either with a secret or signed jwt (public/private
>     key). They can then use the client credentials grant to obtain tokens.
>
>     On 30 Oct 2015 15:37, "Pål Orby" <orby at sendregning.no
>     <mailto:orby at sendregning.no>> wrote:
>
>         Saw your session at JavaZone, so thought we could give KC a
>         try :-)
>
>         Our web application is split on two; frontend
>         (HTML5/Javascript) and our backend (REST lv. 3 developed in
>         Java, currently running inside Tomcat).
>
>         Our frontend is just a consumer of our backend API (just like
>         any other client), and I've successfully configured KC to use
>         openid-connect/public for our frontend with keycloak.js, and
>         openid-connect/bearer-only for our backend (API) in our test
>         environment (sending the Authorization header with Bearer
>         and keycloak.token to backend when doing ajax requests). This
>         work like expected. Even written our own federation doing
>         password validation from our user database.
>
>         But, a lot of our customers have integrated their application
>         to our backend API, doing REST calls for issuing invoices, etc...)
>
>         Most other services that provides you with an API offers
>         tokens that can be used for identification and authentication.
>         And as far as I can see, this is offline tokens in KC.
>
>         So we want to have our users log in to our service with their
>         browser, go to our "API key page" and create a new token to be
>         used by the integrations (moving away from Basic auth).
>
>         I've created an offline token by hitting a keycloak protected
>         html file and requested a resource with parameter
>         ?scope=offline_access. I do see KC gives me a value back:
>         http://localhost/keycloak.html?scope=offline_access&code=HU5UkZ_EbNUjX3Vhmg-3EIhC6Abz5rwhNMy_cuPzpLA.bfa6846d-b8f2-46da-b923-6a2824c82dd6&state=f2c410f3-37dd-4b5b-b933-1aacce916846
>
>         But there is no way I can use this for anything (and in KC it
>         seems to be bound to our frontend application).
>
>         Why can't I use the admin rest api to say something like: give
>         me an offline token for this user for this app?
>
>         /Pål
>
>         2015-10-30 15:06 GMT+01:00 Stian Thorgersen
>         <sthorger at redhat.com <mailto:sthorger at redhat.com>>:
>
>             Heisann,
>
>             Nice to see fellow Norwegians are using Keycloak :)
>
>             For offline tokens the idea is that you'd have a frontend
>             app (server or client, whichever floats your boat) that
>             can bootstrap the offline token.
>
>             Not sure offline tokens is quite what you need though -
>             can you elaborate a bit on your use case?
>
>             On 30 October 2015 at 13:51, Pål Orby <orby at sendregning.no
>             <mailto:orby at sendregning.no>> wrote:
>
>                 We have two clients registered in our realm; frontend
>                 and backend. Frontend is defined openid-connect/public
>                 (HTML/Javascript app) and backend is
>                 openid-connect/bearer-only.
>
>                 How can we generate an offline token for a given user
>                 that can be used towards our backend (which is bearer
>                 only)?
>
>                 We have a lot of customers that is integrated to our
>                 API (which is our backend client).
>
>                 *Pål Orby*
>                 UNIT4 Agresso AS*
>                 *DevOps
>                 Tlf: 22 58 85 00
>                 Mobil: 900 91 705
>
>                 SendRegning - Gjør det enkelt!
>                 http://www.sendregning.no
>                 http://facebook.com/sendregning
>                 http://twitter.com/sendregning
>                 http://faktura.no
>
>                 _______________________________________________
>                 keycloak-user mailing list
>                 keycloak-user at lists.jboss.org
>                 <mailto:keycloak-user at lists.jboss.org>
>                 https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151103/c9638dc6/attachment.html

More information about the keycloak-user mailing list