[keycloak-user] Offline tokens

Mon Jan 29 11:13:14 EST 2018

Not sure we have direct support for this. What we have is:
- Token Exchange service -- The new thing added in Keycloak 3.4 (I 
think). It's available in Keycloak 3.4.3 for sure. It can be possibly 
used to exchange the token of authenticated admin for the token of user 
(Impersonation of tokens). Not 100% sure if it's possible. It's new 
thing and I am still not too familiar with it. You can take a look at 
docs and see...

- Service accounts -- Authenticate on behalf of some client and issue 
token assigned to client, not to concrete user. Not sure if it suits 
your needs, just pointing this if you're not aware of that possibility.

- If none of previous things can be used, you can create your own custom 
Authenticator and setup it as Direct Access Grant Flow. The 
authenticator will somehow allow you to authenticate as any user if you 
prove your admin identity.  Also you can create your own REST endpoint 
for exchange admin token for the offline token of user (That's also 
workaround). These possibilities will 100% work, but it's workaround and 
it's also complicated to do (You would need to code the new 
authenticator implementation). So would use it just as last fallback.

Marek

On 29/01/18 12:31, O'Callaghan, John wrote:
> Hi
>
> I’m hoping someone can help with a question I have around offline tokens. I would like to be able to generate offline tokens for users of my system. At the moment the only way I can see to be able to create an offline token is to POST to “/realms/<name>/protocol/openid-connect/token“ with a scope : “offline_access” and pass in their  username/password.
>
> This works fine if I am asking users to create their own offline tokens, but what I would like to be able to do is allow an admin user to create these offline tokens for users on request (without knowing their password).  Is this possible? I have had a look in the REST api and didn’t see anything there but maybe its not documented?
>
> Many thanks!
> John
>
>
>
>
> Accenture Global Solutions Limited, 3 Grand Canal Plaza, Grand Canal Street Upper, Dublin 4
> This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to which they are addressed. If you have received this e-mail in error, please notify the sender immediately and delete the original. Communications with Accenture or any of its group companies (“Accenture”), including telephone calls and e-mails, may be monitored by our systems for quality control and/or evidential purposes. Accenture does not accept service by e-mail of court proceedings, other processes or formal notices of any kind. Private company limited by shares registered in Ireland, Number 554978
>
> ________________________________
>
> This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
> ______________________________________________________________________________________
>
> www.accenture.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user