[keycloak-user] Generate offline token
Marek Posolda
mposolda at redhat.com
Tue Nov 3 07:49:04 EST 2015
On 03/11/15 09:32, Thomas Raehalme wrote:
> On Tue, Nov 3, 2015 at 10:23 AM, Stian Thorgersen <sthorger at redhat.com
> <mailto:sthorger at redhat.com>> wrote:
>
> * Create service account for customers - they can then use this to
> obtain a token (offline or standard refresh) using REST endpoints
> on Keycloak
>
>
> Sorry to step in, but could you please explain the use case or the
> reasoning for offline tokens on service accounts? If I have understood
> it correctly you'll still need clientId and secret to generate the
> access token from the offline token. Why not just use them to login
> whenever necessary? Thanks!
We support offline tokens for service accounts because there is no
reason (bad side effect) of not supporting it. Or at least I am not
aware of any. Are you? Adding this support came "for free".
One usecase when it can be useful is, for example if you have offline
token and you don't know how was this offline token authenticated (if it
was direct grant, service account or browser). You can send the refresh
token request with this token regardless of the offline token type as
the refreshToken endpoint is same for all cases.
Marek
>
> Best regards,
> Thomas
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151103/85099c70/attachment.html
More information about the keycloak-user
mailing list