<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 16 August 2016 at 10:11, Haim Vana <span dir="ltr"><<a href="mailto:haimv@perfectomobile.com" target="_blank">haimv@perfectomobile.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Hi Stian,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Thanks for your answer.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">What I meant to ask is how to create offline token for external IDP, I wasn't able to it with REST API (I am able to it if it's not external IDP).<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">The only way I managed to do it was when adding offline_access to the UI login page, so for external IDP – is it the only way ? REST API is not supported ?</span></p></div></div></blockquote><div><br></div><div>Login page is the only way for external IdPs.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Assuming it's the only way I thought to create external UI service for the user to log in and get his offline token.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">What do you think about such solution ? also if the user will be already logged in – do you know if the offline token will be created ? or the will have to logout
and login again…</span></p></div></div></blockquote><div><br></div><div>Depends on what your script is implemented in it can also start a web server on localhost, then popup the browser window to do the login and finally it'll get the code and can get the offline token directly itself. Take a look at our customer-app-cli example. It doesn't do offline token, but would be trivial to change it to do that instead.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Thanks,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Haim.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Stian Thorgersen [mailto:<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>]
<br>
<b>Sent:</b> Tuesday, August 16, 2016 10:52 AM<br>
<b>To:</b> Haim Vana <<a href="mailto:haimv@perfectomobile.com" target="_blank">haimv@perfectomobile.com</a>><br>
<b>Cc:</b> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<b>Subject:</b> Re: [keycloak-user] Offline tokens with external IDP<u></u><u></u></span></p><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On 25 July 2016 at 09:01, Haim Vana <<a href="mailto:haimv@perfectomobile.com" target="_blank">haimv@perfectomobile.com</a>> wrote:<u></u><u></u></p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal">Hi,<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">We are using KeyCloak for a several weeks now, one of the flows is user script authentication with offline token:<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p>1.<span style="font-size:7.0pt"> </span>The user log in to the UI<u></u><u></u></p>
<p>2.<span style="font-size:7.0pt"> </span>Generates offline token by entering his password again<u></u><u></u></p>
<p>3.<span style="font-size:7.0pt"> </span>Put the offline token in his script<u></u><u></u></p>
<p>4.<span style="font-size:7.0pt"> </span>Executes the script<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Now we want to add external IDP support, first is it possible to generate offline tokens for extremal IDP in KeyCloak ? if so how ?<u></u><u></u></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Assuming you're using the Keycloak login screen it's just a matter of configuring the external IdP as an identity broker provider and it will be displayed as an option on the login screen.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Second in section #2 above the user enters his password to generate the offline token, with external IDP we can’t use his password, one alternative is to always generate the offline
token in the login (add offline_access), however is it make sense to create offline token for every login ?<u></u><u></u></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">You shouldn't create offline token for every login, just once for a new user or once offline token is no longer valid.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Thanks,<u></u><u></u></p>
<p class="MsoNormal">Haim.
<u></u><u></u></p>
</div>
<p class="MsoNormal">The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this
message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately
by replying to the message and deleting it from your computer. Thank you. <u></u><u></u></p>
</div>
<p class="MsoNormal"><br>
______________________________<wbr>_________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://emea01.safelinks.protection.outlook.com/?url=https%3a%2f%2flists.jboss.org%2fmailman%2flistinfo%2fkeycloak-user&data=01%7c01%7chaimv%40perfectomobile.com%7c817f2f8f0df74d42b42708d3c5aa2e27%7cceb4c662d6994e7da0bd272619a46977%7c1&sdata=GbfVDcXti4f7DKGMcp6zyqQpsqNksOIuU4EA1sb0TR0%3d" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-user</a><u></u><u></u></p>
</blockquote>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</div></div></div><div><div class="h5">
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the
intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to
the message and deleting it from your computer. Thank you.
</div></div></div>
</blockquote></div><br></div></div>