[keycloak-user] [External] Re: Offline tokens
Marek Posolda
mposolda at redhat.com
Tue Jan 30 10:06:58 EST 2018
On 30/01/18 10:10, O'Callaghan, John wrote:
>
> Hi Marek
>
> Thanks for that info the token exchange feature looks interesting and might be a way for me to solve my requirement. I didn’t see anything in the docs saying that I could use it to get an offline token but it's worth a shot. Has anyone out there used this to get offline tokens?
>
> If this is possible then it would be the preferable option for me. The service accounts option is a bit fiddly as I would need a separate service account for each user (at least that’s how I think that would work). Unless it were possible to fully automate the creation of these service accounts on demand, associate them with a specific user and then grab their offline token.
Nope, service accounts are used for the case, when you want to
authenticate on behalf of "client" application, not as any concrete
user. In some cases, it may be useful to use those service accounts to
perform some tasks not tight to any concrete user (EG. periodic tasks
etc). Just mentioned this for the case if it suits your usecase, but I
guess it doesn't...
Marek
>
> I'll look further into option 1 and get back to you with how I get on.
> Thanks again
> John
>
>
> Accenture Global Solutions Limited, 3 Grand Canal Plaza, Grand Canal Street Upper, Dublin 4
> This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to which they are addressed. If you have received this e-mail in error, please notify the sender immediately and delete the original. Communications with Accenture or any of its group companies (“Accenture”), including telephone calls and e-mails, may be monitored by our systems for quality control and/or evidential purposes. Accenture does not accept service by e-mail of court proceedings, other processes or formal notices of any kind. Private company limited by shares registered in Ireland, Number 554978
> On 29/01/2018, 16:13, "Marek Posolda" <mposolda at redhat.com> wrote:
>
> Not sure we have direct support for this. What we have is:
> - Token Exchange service -- The new thing added in Keycloak 3.4 (I
> think). It's available in Keycloak 3.4.3 for sure. It can be possibly
> used to exchange the token of authenticated admin for the token of user
> (Impersonation of tokens). Not 100% sure if it's possible. It's new
> thing and I am still not too familiar with it. You can take a look at
> docs and see...
>
> - Service accounts -- Authenticate on behalf of some client and issue
> token assigned to client, not to concrete user. Not sure if it suits
> your needs, just pointing this if you're not aware of that possibility.
>
> - If none of previous things can be used, you can create your own custom
> Authenticator and setup it as Direct Access Grant Flow. The
> authenticator will somehow allow you to authenticate as any user if you
> prove your admin identity. Also you can create your own REST endpoint
> for exchange admin token for the offline token of user (That's also
> workaround). These possibilities will 100% work, but it's workaround and
> it's also complicated to do (You would need to code the new
> authenticator implementation). So would use it just as last fallback.
>
> Marek
>
> On 29/01/18 12:31, O'Callaghan, John wrote:
> > Hi
> >
> > I’m hoping someone can help with a question I have around offline tokens. I would like to be able to generate offline tokens for users of my system. At the moment the only way I can see to be able to create an offline token is to POST to “/realms/<name>/protocol/openid-connect/token“ with a scope : “offline_access” and pass in their username/password.
> >
> > This works fine if I am asking users to create their own offline tokens, but what I would like to be able to do is allow an admin user to create these offline tokens for users on request (without knowing their password). Is this possible? I have had a look in the REST api and didn’t see anything there but maybe its not documented?
> >
> > Many thanks!
> > John
> >
> >
> >
> >
> > Accenture Global Solutions Limited, 3 Grand Canal Plaza, Grand Canal Street Upper, Dublin 4
> > This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to which they are addressed. If you have received this e-mail in error, please notify the sender immediately and delete the original. Communications with Accenture or any of its group companies (“Accenture”), including telephone calls and e-mails, may be monitored by our systems for quality control and/or evidential purposes. Accenture does not accept service by e-mail of court proceedings, other processes or formal notices of any kind. Private company limited by shares registered in Ireland, Number 554978
> >
> > ________________________________
> >
> > This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
> > ______________________________________________________________________________________
> >
> > www.accenture.com
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=MU_KJXJNiVzpKH9iO2oEENGKvd9j8rpJfiPNXLOJNiY&m=et3QLj8cMKR_IqLgyUwo_QE1VNS-qYk1DVge0DqMSOk&s=bnvYFqzDnG9qQQfVKsMhhCEnIgJyqn-jOWFvS9Rtsp8&e=
>
>
>
>
More information about the keycloak-user
mailing list