<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 02/11/15 22:40, Pål Orby wrote:<br>
</div>
<blockquote
cite="mid:CAG+mJvFAxL9uxiMa=+14UOz+uEBjW7QXTrXEk2FOVvrVsduTeg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>It's not an option to create a client for each
customer. Currently we have 65 000 customers, and we do
not care if they use our API or using us within their
browser.<br>
<br>
</div>
We want to just generate an offline token for a given user?
Can someone please tell me how to do it. I've read the
documentation, but it not clear for me how to obtain an
offline token (<a moz-do-not-send="true"
href="http://keycloak.github.io/docs/userguide/keycloak-server/html/timeouts.html#offline-access">http://keycloak.github.io/docs/userguide/keycloak-server/html/timeouts.html#offline-access</a>).<br>
</div>
</div>
</div>
</blockquote>
Not sure I understand all the details for your usecase. But the
usecase like "give me an offline token for this user for this app"
can be done with usage of direct grant. See here the docs for direct
grant
<a class="moz-txt-link-freetext" href="http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html">http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html</a>
. If you want to retrieve offline token through direct grant, you
just need to add the parameter "scope=offline_access" to the body of
POST methods. So instead of just:<br>
<br>
username=bburke&password=geheim&grant_type=password<br>
<br>
you will use:<br>
<br>
username=bburke&password=geheim&grant_type=password&scope=offline_access<br>
<br>
<br>
But note, that offline token is not a permanent token, which can be
unlimitedly used for authentication against REST backend services.
Offline token is just special kind of refresh token, which never
expires. You can use offline token to "refresh" and retrieve the
access token, which can itself be used for authentication against
REST backend services. But the access token has limited lifetime
(usually 1 minute). So typically once you retrieve offline token,
you need to save it in the database and always when you need to send
request to REST backend, you use offline token to retrieve access
token and then use this access token to send REST request. I suggest
to take a look at offline_access_app example in the demo.<br>
<br>
Marek<br>
<blockquote
cite="mid:CAG+mJvFAxL9uxiMa=+14UOz+uEBjW7QXTrXEk2FOVvrVsduTeg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div><br>
</div>
Thanks in advance :-)<br>
<br>
</div>
/Pål<br>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="gmail_signature">
<div dir="ltr"><b>Pål Orby</b>
<div>UNIT4 Agresso AS<b><br>
</b>Programvareingeniør<br>
Tlf: 22 58 85 00<br>
Mobil: 900 91 705<br>
<br>
SendRegning - Gjør det enkelt!</div>
<div><a moz-do-not-send="true"
href="http://www.sendregning.no" target="_blank">http://www.sendregning.no</a></div>
<div><a moz-do-not-send="true"
href="http://facebook.com/sendregning" target="_blank">http://facebook.com/sendregning</a><br>
<a moz-do-not-send="true"
href="http://twitter.com/sendregning" target="_blank">http://twitter.com/sendregning</a><br>
<a moz-do-not-send="true" href="http://faktura.no"
target="_blank">http://faktura.no</a><br>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">2015-11-02 12:06 GMT+01:00 Stian
Thorgersen <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<p dir="ltr">I would create a client for each customer.
Enable the service account feature to map roles to the
client. Then customers can authenticate either with a
secret or signed jwt (public/private key). They can then
use the client credentials grant to obtain tokens.</p>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_quote">On 30 Oct 2015 15:37, "Pål
Orby" <<a moz-do-not-send="true"
href="mailto:orby@sendregning.no" target="_blank">orby@sendregning.no</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>Saw your session at JavaZone, so thought we
could give KC a try :-)<br>
</div>
<div><br>
</div>
<div>Our web application is split on two; frontend
(HTML5/Javascript) and our backend (REST lv. 3
developed in Java, currently running inside
Tomcat).</div>
<div><br>
</div>
<div>Our frontend is just a consumer of our
backend API (just like any other client), and
I've successfully configured KC to use
openid-connect/public for our frontend with
keycloak.js, and openid-connect/bearer-only for
our backend (API) in our test environment
(sending the Authorization header with Bearer
and keycloak.token to backend when doing ajax
requests). This work like expected. Even written
our own federation doing password validation
from our user database.</div>
<div><br>
</div>
<div>But, a lot of our customers have integrated
their application to our backend API, doing REST
calls for issuing invoices, etc...)</div>
<div><br>
</div>
<div>Most other services that provides you with an
API offers tokens that can be used for
identification and authentication. And as far as
I can see, this is offline tokens in KC.</div>
<div><br>
</div>
<div>So we want to have our users log in to our
service with their browser, go to our "API key
page" and create a new token to be used by the
integrations (moving away from Basic auth).</div>
<div><br>
</div>
<div>I've created an offline token by hitting a
keycloak protected html file and requested a
resource with parameter ?scope=offline_access. I
do see KC gives me a value back:</div>
<div><a moz-do-not-send="true"
href="http://localhost/keycloak.html?scope=offline_access&code=HU5UkZ_EbNUjX3Vhmg-3EIhC6Abz5rwhNMy_cuPzpLA.bfa6846d-b8f2-46da-b923-6a2824c82dd6&state=f2c410f3-37dd-4b5b-b933-1aacce916846"
target="_blank">http://localhost/keycloak.html?scope=offline_access&code=HU5UkZ_EbNUjX3Vhmg-3EIhC6Abz5rwhNMy_cuPzpLA.bfa6846d-b8f2-46da-b923-6a2824c82dd6&state=f2c410f3-37dd-4b5b-b933-1aacce916846</a><br>
</div>
<div><br>
</div>
<div>But there is no way I can use this for
anything (and in KC it seems to be bound to our
frontend application).</div>
<div><br>
</div>
<div>Why can't I use the admin rest api to say
something like: give me an offline token for
this user for this app?</div>
<div><br>
</div>
<div>/Pål</div>
<div class="gmail_extra">
<br>
<div class="gmail_quote">2015-10-30 15:06
GMT+01:00 Stian Thorgersen <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:sthorger@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:sthorger@redhat.com">sthorger@redhat.com</a></a>></span>:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div dir="ltr">Heisann,
<div><br>
</div>
<div>Nice to see fellow Norwegians are
using Keycloak :)</div>
<div><br>
</div>
<div>For offline tokens the idea is that
you'd have a frontend app (server or
client, whichever floats your boat) that
can bootstrap the offline token.</div>
<div><br>
</div>
<div>Not sure offline tokens is quite what
you need though - can you elaborate a
bit on your use case?</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">
<div>
<div>On 30 October 2015 at 13:51, Pål
Orby <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:orby@sendregning.no"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:orby@sendregning.no">orby@sendregning.no</a></a>></span>
wrote:<br>
</div>
</div>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div>
<div>
<div dir="ltr">
<div>We have two clients
registered in our realm;
frontend and backend. Frontend
is defined
openid-connect/public
(HTML/Javascript app) and
backend is
openid-connect/bearer-only.</div>
<div><br>
</div>
<div>How can we generate an
offline token for a given user
that can be used towards our
backend (which is bearer
only)?</div>
<div><br>
</div>
<div>We have a lot of customers
that is integrated to our API
(which is our backend client).</div>
<div><br clear="all">
<div>
<div>
<div dir="ltr"><b>Pål Orby</b>
<div>UNIT4 Agresso AS<b><br>
</b>DevOps<br>
Tlf: 22 58 85 00<br>
Mobil: 900 91 705<br>
<br>
SendRegning - Gjør det
enkelt!</div>
<div><a
moz-do-not-send="true"
href="http://www.sendregning.no" target="_blank"><a class="moz-txt-link-freetext" href="http://www.sendregning.no">http://www.sendregning.no</a></a></div>
<div><a
moz-do-not-send="true"
href="http://facebook.com/sendregning" target="_blank"><a class="moz-txt-link-freetext" href="http://facebook.com/sendregning">http://facebook.com/sendregning</a></a><br>
<a
moz-do-not-send="true"
href="http://twitter.com/sendregning" target="_blank"><a class="moz-txt-link-freetext" href="http://twitter.com/sendregning">http://twitter.com/sendregning</a></a><br>
<a
moz-do-not-send="true"
href="http://faktura.no" target="_blank"><a class="moz-txt-link-freetext" href="http://faktura.no">http://faktura.no</a></a><br>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
</div>
</div>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</body>
</html>