<div dir="ltr">I'm currently implementing the proxy solution.<div><br></div><div>Thanks for you help :-) </div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><b>Pål Orby</b><div>UNIT4 Agresso AS<b><br></b>Programvareingeniør<br>Tlf: 22 58 85 00<br>Mobil: 900 91 705<br><br>SendRegning - Gjør det enkelt!</div><div><a href="http://www.sendregning.no" target="_blank">http://www.sendregning.no</a></div><div><a href="http://facebook.com/sendregning" target="_blank">http://facebook.com/sendregning</a><br><a href="http://twitter.com/sendregning" target="_blank">http://twitter.com/sendregning</a><br><a href="http://faktura.no" target="_blank">http://faktura.no</a><br></div></div></div></div>
<br><div class="gmail_quote">2015-11-05 12:42 GMT+01:00 Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote"><span class="">On 3 November 2015 at 19:10, Pål Orby <span dir="ltr"><<a href="mailto:orby@sendregning.no" target="_blank">orby@sendregning.no</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>Ok, so after reading the replies here I understand that it isn't offline tokens I'm looking for.<br><br></div>The token I'm looking for is what I would call an "application token". Any plans implementing that?<br></div></div></div></blockquote><div><br></div></span><div>No, we don't have any plans for that. However as I suggested you can relatively easily provide that yourself by creating a client with service account for a customer then create an offline token to send to them. Main issue still stands though is that an offline token is not just a short "API Key" it's a relatively big base64 string.</div><div><br></div><div>If you want a short "API Key" you'd need a proxy in front of your services that can swap the key for the actual token.</div><div><div class="h5"><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><br></div>Example:<br>If you enable two factor authentication on Github, you can't connect with username/password anymore in terminal or other 3. party applications integrated with GitHub without using an "application token" that you create on your GitHub account page.<span><font color="#888888"><br><br></font></span></div><span><font color="#888888">/Pål<br></font></span></div><div class="gmail_extra"><span><br clear="all"><div><div><div dir="ltr"><b>Pål Orby</b><div>UNIT4 Agresso AS<b><br></b>Programvareingeniør<br>Tlf: 22 58 85 00<br>Mobil: 900 91 705<br><br>SendRegning - Gjør det enkelt!</div><div><a href="http://www.sendregning.no" target="_blank">http://www.sendregning.no</a></div><div><a href="http://facebook.com/sendregning" target="_blank">http://facebook.com/sendregning</a><br><a href="http://twitter.com/sendregning" target="_blank">http://twitter.com/sendregning</a><br><a href="http://faktura.no" target="_blank">http://faktura.no</a><br></div></div></div></div>
<br></span><div><div><div class="gmail_quote">2015-11-03 13:49 GMT+01:00 Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span>
<div>On 03/11/15 09:32, Thomas Raehalme
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">On Tue, Nov 3, 2015 at 10:23 AM,
Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank"></a><a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">* Create service account for customers -
they can then use this to obtain a token (offline or
standard refresh) using REST endpoints on Keycloak</div>
</blockquote>
<div><br>
</div>
<div>Sorry to step in, but could you please explain the use
case or the reasoning for offline tokens on service
accounts? If I have understood it correctly you'll still
need clientId and secret to generate the access token from
the offline token. Why not just use them to login whenever
necessary? Thanks!<br>
</div>
</div>
</div>
</div>
</blockquote></span>
We support offline tokens for service accounts because there is no
reason (bad side effect) of not supporting it. Or at least I am not
aware of any. Are you? Adding this support came "for free". <br>
<br>
One usecase when it can be useful is, for example if you have
offline token and you don't know how was this offline token
authenticated (if it was direct grant, service account or browser).
You can send the refresh token request with this token regardless of
the offline token type as the refreshToken endpoint is same for all
cases.<br>
<br>
Marek<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>Best regards,<br>
</div>
<div>Thomas<br>
</div>
<div><br>
</div>
</div>
<br>
</div>
</div><span>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</span></blockquote>
<br>
</div>
</blockquote></div><br></div></div></div>
</blockquote></div></div></div><br></div></div>
</blockquote></div><br></div>