Re: [keycloak-dev] offline access tokens part 2
Dne 27.3.2018 v 04:41 Bill Burke napsal(a):
These are my thoughts for implementing offline access tokens:
* offline access tokens MUST be validated. This means that if they
are used during bearer token requests, the service must validate the
token with the token endpoint.
* These tokens MUST be rejected by older keycloak clients as our
adapters dont' have support for them.
* offline access tokens will not be stored in the database. Instead
they will be JWEs or JWS that link to an offline user session. (our
current offline access implementation). They will be revokable just
like any other offline session and in the same manner. This makes the
implementation simple.
* There will be 4 modes for configuring clients
- client automatically receives offline access tokens (maybe not
include a refresh token in this case)
- client may request an offline access token
- client requires consent before providing an offline access token
- client is not allowed to ask for offline access tokens (default)
Any other thoughts on this?
How will client tells that it wants this offline token?
Will it be some
special value of scope parameter like "scope=persistent_token" ?
I can imagine that issuing this token will be handled by protocol
mapper? Some protocolMapper implementation, which will change token
expiration to 0 (which means infinity) and change token type to
something like "persistent" ?
Once we have clientScopes in, it will be easily possible to ensure that
this protocolMapper is used just if "persistent_token" scope is used as
protocolMapper will be just configured on "persistent_token" client
scope. However the clientScopes PR will likely need to wait for few
weeks or so...
Marek
Maybe this should be implemented in conjunction with a reference token
feature too?