[keycloak-user] Generate offline token
Bill Burke
bburke at redhat.com
Fri Oct 30 10:41:17 EDT 2015
You can obtain tokens from a non-browser client. We have two types:
session-based tokens: These are associated with an in-memory(cluster
aware) session and have a short expiration (minutes), but can be
refreshed with a refresh token. These sessions can be closed
automatically if they are idle too long
offline tokens: They are persisted and have much longer expiration
times. They do have timeouts, but these times are generally much longer.
On 10/30/2015 10:36 AM, Pål Orby wrote:
> Saw your session at JavaZone, so thought we could give KC a try :-)
>
> Our web application is split on two; frontend (HTML5/Javascript) and our
> backend (REST lv. 3 developed in Java, currently running inside Tomcat).
>
> Our frontend is just a consumer of our backend API (just like any other
> client), and I've successfully configured KC to use
> openid-connect/public for our frontend with keycloak.js, and
> openid-connect/bearer-only for our backend (API) in our test environment
> (sending the Authorization header with Bearer and keycloak.token to
> backend when doing ajax requests). This work like expected. Even written
> our own federation doing password validation from our user database.
>
> But, a lot of our customers have integrated their application to our
> backend API, doing REST calls for issuing invoices, etc...)
>
> Most other services that provides you with an API offers tokens that can
> be used for identification and authentication. And as far as I can see,
> this is offline tokens in KC.
>
> So we want to have our users log in to our service with their browser,
> go to our "API key page" and create a new token to be used by the
> integrations (moving away from Basic auth).
>
> I've created an offline token by hitting a keycloak protected html file
> and requested a resource with parameter ?scope=offline_access. I do see
> KC gives me a value back:
> http://localhost/keycloak.html?scope=offline_access&code=HU5UkZ_EbNUjX3Vhmg-3EIhC6Abz5rwhNMy_cuPzpLA.bfa6846d-b8f2-46da-b923-6a2824c82dd6&state=f2c410f3-37dd-4b5b-b933-1aacce916846
>
> But there is no way I can use this for anything (and in KC it seems to
> be bound to our frontend application).
>
> Why can't I use the admin rest api to say something like: give me an
> offline token for this user for this app?
>
> /Pål
>
> 2015-10-30 15:06 GMT+01:00 Stian Thorgersen <sthorger at redhat.com
> <mailto:sthorger at redhat.com>>:
>
> Heisann,
>
> Nice to see fellow Norwegians are using Keycloak :)
>
> For offline tokens the idea is that you'd have a frontend app
> (server or client, whichever floats your boat) that can bootstrap
> the offline token.
>
> Not sure offline tokens is quite what you need though - can you
> elaborate a bit on your use case?
>
> On 30 October 2015 at 13:51, Pål Orby <orby at sendregning.no
> <mailto:orby at sendregning.no>> wrote:
>
> We have two clients registered in our realm; frontend and
> backend. Frontend is defined openid-connect/public
> (HTML/Javascript app) and backend is openid-connect/bearer-only.
>
> How can we generate an offline token for a given user that can
> be used towards our backend (which is bearer only)?
>
> We have a lot of customers that is integrated to our API (which
> is our backend client).
>
> *Pål Orby*
> UNIT4 Agresso AS*
> *DevOps
> Tlf: 22 58 85 00
> Mobil: 900 91 705
>
> SendRegning - Gjør det enkelt!
> http://www.sendregning.no
> http://facebook.com/sendregning
> http://twitter.com/sendregning
> http://faktura.no
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list