<div dir="ltr">To create a token you need to have a client and a user (or service account in which case you only need the client). Once you have that you can use the browser based flow or obtain through REST (resource owner credential grant for users, client credential grant for service accounts). You should not share client and user between customers as that will stop you from being able to revoke the offline tokens. Another issue is that tokens are fairly big (it's not just a short key, it's a json document).<div><br></div><div>I would suggest you either:</div><div><br></div><div>* Create service account for customers - they can then use this to obtain a token (offline or standard refresh) using REST endpoints on Keycloak</div><div>* Give offline token to users - in this case I would create a service account for the customer and then create the offline token (all can be done with Keycloak REST endpoints)</div><div><br></div><div>Take a look at <a href="https://github.com/keycloak/keycloak/blob/master/examples/demo-template/admin-access-app/src/main/java/org/keycloak/example/AdminClient.java#L71">https://github.com/keycloak/keycloak/blob/master/examples/demo-template/admin-access-app/src/main/java/org/keycloak/example/AdminClient.java#L71</a> it shows how to obtain tokens without browser. To retrieve an offline token just add scope=offline query parameter.</div><div><br></div><div>One thing you could do if you want to give customers the token is to create a db that stores the token then send the customers a reference to the token instead. You'd then need a proxy in front of your apps that can exchange the reference for the full token. If you're interested in this approach I can get you in touch with someone that is doing that.</div><div><div class="gmail_extra"><br><div class="gmail_quote">On 2 November 2015 at 21:40, Pål Orby <span dir="ltr"><<a href="mailto:orby@sendregning.no" target="_blank">orby@sendregning.no</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div><div><div>It's not an option to create a client for each customer. Currently we have 65 000 customers, and we do not care if they use our API or using us within their browser.<br></div></div></div></div></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div><div><div><br></div>We want to just generate an offline token for a given user? Can someone please tell me how to do it. I've read the documentation, but it not clear for me how to obtain an offline token (<a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/timeouts.html#offline-access" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/timeouts.html#offline-access</a>).</div></div></div></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div><div><br></div>Thanks in advance :-)<br><br></div>/Pål<span class=""><font color="#888888"><br></font></span></div><div class="gmail_extra"><span class=""><font color="#888888"><br clear="all"></font></span><div><div><div dir="ltr"><span class=""><font color="#888888"><b>Pål Orby</b></font></span><div><span class=""><font color="#888888">UNIT4 Agresso AS<b><br></b>Programvareingeniør</font></span><span class=""><br>Tlf: 22 58 85 00<br>Mobil: 900 91 705<br><br>SendRegning - Gjør det enkelt!</span></div><span class=""><div><a href="http://www.sendregning.no" target="_blank">http://www.sendregning.no</a></div><div><a href="http://facebook.com/sendregning" target="_blank">http://facebook.com/sendregning</a><br><a href="http://twitter.com/sendregning" target="_blank">http://twitter.com/sendregning</a><br><a href="http://faktura.no" target="_blank">http://faktura.no</a><br></div></span></div></div></div><div><div class="h5">
<br><div class="gmail_quote">2015-11-02 12:06 GMT+01:00 Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><p dir="ltr">I would create a client for each customer. Enable the service account feature to map roles to the client. Then customers can authenticate either with a secret or signed jwt (public/private key). They can then use the client credentials grant to obtain tokens.</p><div><div>
<div class="gmail_quote">On 30 Oct 2015 15:37, "Pål Orby" <<a href="mailto:orby@sendregning.no" target="_blank">orby@sendregning.no</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div>Saw your session at JavaZone, so thought we could give KC a try :-)<br></div><div><br></div><div>Our web application is split on two; frontend (HTML5/Javascript) and our backend (REST lv. 3 developed in Java, currently running inside Tomcat).</div><div><br></div><div>Our frontend is just a consumer of our backend API (just like any other client), and I've successfully configured KC to use openid-connect/public for our frontend with keycloak.js, and openid-connect/bearer-only for our backend (API) in our test environment (sending the Authorization header with Bearer and keycloak.token to backend when doing ajax requests). This work like expected. Even written our own federation doing password validation from our user database.</div><div><br></div><div>But, a lot of our customers have integrated their application to our backend API, doing REST calls for issuing invoices, etc...)</div><div><br></div><div>Most other services that provides you with an API offers tokens that can be used for identification and authentication. And as far as I can see, this is offline tokens in KC.</div><div><br></div><div>So we want to have our users log in to our service with their browser, go to our "API key page" and create a new token to be used by the integrations (moving away from Basic auth).</div><div><br></div><div>I've created an offline token by hitting a keycloak protected html file and requested a resource with parameter ?scope=offline_access. I do see KC gives me a value back:</div><div><a href="http://localhost/keycloak.html?scope=offline_access&code=HU5UkZ_EbNUjX3Vhmg-3EIhC6Abz5rwhNMy_cuPzpLA.bfa6846d-b8f2-46da-b923-6a2824c82dd6&state=f2c410f3-37dd-4b5b-b933-1aacce916846" target="_blank">http://localhost/keycloak.html?scope=offline_access&code=HU5UkZ_EbNUjX3Vhmg-3EIhC6Abz5rwhNMy_cuPzpLA.bfa6846d-b8f2-46da-b923-6a2824c82dd6&state=f2c410f3-37dd-4b5b-b933-1aacce916846</a><br></div><div><br></div><div>But there is no way I can use this for anything (and in KC it seems to be bound to our frontend application).</div><div><br></div><div>Why can't I use the admin rest api to say something like: give me an offline token for this user for this app?</div><div><br></div><div>/Pål</div><div class="gmail_extra">
<br><div class="gmail_quote">2015-10-30 15:06 GMT+01:00 Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">Heisann,<div><br></div><div>Nice to see fellow Norwegians are using Keycloak :)</div><div><br></div><div>For offline tokens the idea is that you'd have a frontend app (server or client, whichever floats your boat) that can bootstrap the offline token.</div><div><br></div><div>Not sure offline tokens is quite what you need though - can you elaborate a bit on your use case?</div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div>On 30 October 2015 at 13:51, Pål Orby <span dir="ltr"><<a href="mailto:orby@sendregning.no" target="_blank">orby@sendregning.no</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div><div dir="ltr"><div>We have two clients registered in our realm; frontend and backend. Frontend is defined openid-connect/public (HTML/Javascript app) and backend is openid-connect/bearer-only.</div><div><br></div><div>How can we generate an offline token for a given user that can be used towards our backend (which is bearer only)?</div><div><br></div><div>We have a lot of customers that is integrated to our API (which is our backend client).</div><div><br clear="all"><div><div><div dir="ltr"><b>Pål Orby</b><div>UNIT4 Agresso AS<b><br></b>DevOps<br>Tlf: 22 58 85 00<br>Mobil: 900 91 705<br><br>SendRegning - Gjør det enkelt!</div><div><a href="http://www.sendregning.no" target="_blank">http://www.sendregning.no</a></div><div><a href="http://facebook.com/sendregning" target="_blank">http://facebook.com/sendregning</a><br><a href="http://twitter.com/sendregning" target="_blank">http://twitter.com/sendregning</a><br><a href="http://faktura.no" target="_blank">http://faktura.no</a><br></div></div></div></div>
</div></div>
<br></div></div>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>
</blockquote></div><br></div></div>
</blockquote></div>
</div></div></blockquote></div><br></div></div></div>
</blockquote></div><br></div></div></div>