[keycloak-user] How to authenticate using offline refresh_token

Thu Apr 6 03:58:26 EDT 2017

Hi Marek, sorry for previous message - it actually works well in 2.5.5. I made a mistake and I was still using 2.5.0 not 2.5.5 - after proper upgrade, it works.

Regards
Mariusz

-----Original Message-----
From: Marek Posolda [mailto:mposolda at redhat.com] 
Sent: dinsdag 4 april 2017 21:53
To: Mariusz Chruscielewski - Info.nl <mariusz at info.nl>; Marko Strukelj <mstrukel at redhat.com>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] How to authenticate using offline refresh_token

Access token itself is valid just for few minutes. When access token is expired, you need offline token to send request for refreshing of access token (retrieve new access token).

I suggest to look at our example in keycloak-examples distribution under "preconfigured-demo/offline-access-app" directory.

Marek

On 04/04/17 19:24, Mariusz Chruscielewski - Info.nl wrote:
> Hi Marko, it isn’t the problem. It works with lowercase as long as SSO Session Idle time isn’t over.
>
> I think there has to be some different method to check if you are 
> using access_token issued by using offline_refresh_token
>
> When I do authorization call using offline refresh_token, I don’t see new session open in keycloak admin console.
>
> Any other ideas?
>
> Regards
> Mariusz
>
> From: Marko Strukelj [mailto:mstrukel at redhat.com]
> Sent: dinsdag 4 april 2017 19:11
> To: Mariusz Chruscielewski - Info.nl <mariusz at info.nl>
> Cc: keycloak-user <keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] How to authenticate using offline 
> refresh_token
>
> Maybe try:
>
> Authorization: Bearer {access_token}
>
> (uppercase Bearer)
>
>
> On Apr 4, 2017 18:41, "Mariusz Chruscielewski - Info.nl" <mariusz at info.nl<mailto:mariusz at info.nl>> wrote:
> Hi,
>
> We are using scope=offline_token param to get refresh_token that is valid for long time, then we do call :
>
> grant_type=refresh_token&client_id=xxxx&scope=offline_access&refresh_t
> oken={refresh_token}
>
> to get access_token, and that call returns access_token with status 200. Next step is to call our custom REST Endpoint using authorization header:
>
> Authorization: bearer {access_token}
>
> But in Keycloak itself, when we try to check if token  is valid:
>
> private final AuthenticationManager.AuthResult auth;
>
> public EntitlementResourceProvider(KeycloakSession session, String abosUrl, String abosUsername, String abosPassword) {
>          this.session = session;
>          this.auth = new 
> AppAuthManager().authenticateBearerToken(session, 
> session.realms().getRealm(Constants.XXXXXXX));
> }
>
> this.auth is null, when I was debugging this, I found that Keycloak reports: Token invalid. How can it be invalid, if it was just issued?
>
> What is even more interesting, this works between first login using 
> credentials and time configured as SSO Session Idle (so in our case 
> for 30 minutes)
>
> I understand that session is closed after some Idle time, but if we have valid refresh_token, and we get new access_token, why doesn't it validate? Am I using wrong method?
>
>
> Kind Regards,
>
> Mariusz Chruścielewski
>
> software engineer
>
> mariusz at info.nl<mailto:mariusz at info.nl><mailto:mariusz at info.nl<mailto:
> mariusz at info.nl>>  |  
> LinkedIn<https://www.linkedin.com/in/mariusz-chruscielewski>  |  +31 
> (0)20 530 
> 9113<tel:%2B31%20%280%2920%20530%209113><tel:+31205309113%20>
>
> info.nl<http://info.nl> <http://www.info.nl>
>
> Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 
> 9100<tel:%2B31%20%280%2920%20530%209100><tel:+31205309100<tel:%2B31205
> 309100>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user