Cloning into offline persistence is a good way to do it, I'm worried about the
complexity of it though. We'd need two separate user session stores and do we look in
both when there's a request for a user session? If we don't look in both how do we
make sure the persisted sessions are re-loaded into the non-peristed store at startup
time? That's even worse in a cluster. I've implemented a hybrid store (where some
stuff was kept in jpa and others in-mem) it did end up as a bit of a cluster fuck though.
I don't have an issue with admins managing offline sessions in the existing way they
manage sessions, actually that's probably the best way. We would probably need to add
support for logging out all or just non-offline when logging out a user or application
though.
I don't like the idea of just having an offline column in account management though as
I think that's confusing to users. We need to at some point give the account
management some TLC as it looks pretty horrible and there's some concepts that's
probably confusing to most users. For example sessions, logs and even worse federated
identities. As a user I'd expect a list of devices that I have logged in (Home
computer, Work computer, Mobile, etc.) and the ability to log that out. Then I'd
expect a separate list of applications/clients that can access my account where I can
revoke access to a specific client (which would also invalidate any offline access).
That's still perfectly achievable with either two approaches though.
Finally, we also need to introduce an offline role/scope that we can assign to
applications either through admin console, but it should also be possible to use
?scope=offline which is what the OIDC spec mandates. This would then work together with
persisting consent/grants and the account management would show what permissions each
client has, including offline access. There should be a single revoke access button for
each client. That would remove all persisted consents/grant for that client and also
remove all client sessions for that client. Doing that would also expire all
"offline" refresh tokens without requiring the user to manually manage
"client sessions".
Another thing we should probably also add support to view/manage persisted consents in the
admin console. For example an admin should be able to see what consents a user has given
to what application and also revoke.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>, "Marek Posolda"
<mposolda(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Thursday, 9 April, 2015 3:02:42 PM
Subject: Re: [keycloak-dev] offline access
On 4/9/2015 8:01 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Marek Posolda" <mposolda(a)redhat.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>, "Bill
Burke"
>> <bburke(a)redhat.com>
>> Cc: keycloak-dev(a)lists.jboss.org
>> Sent: Friday, 3 April, 2015 4:02:04 PM
>> Subject: Re: [keycloak-dev] offline access
>>
>> Maybe we should use name "offline tokens" to not confuse them with
>> classic "refresh tokens" ? Refresh tokens are used to refresh access
>> token and they are always tight to user session, when "offline
tokens"
>> are not tight to user session.
>
> I don't think there's anything in OpenID Connect that ties a refresh token
> to a user session, that's just what we've done.
>
> See
http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
>
That's not the way I read it. There wouldn't be a section within OIDC
about offline access if the refresh token wasn't assumed to be a part of
a session. IMO, "offline" is really just a persisted user/client
session.
It is governed by the same exact rules as regular user
sessions. A client just needs permission to do it. You would need to
store the same exact metadata for "offline" sessions as you would for
"online" ones. What additional information is needed for "offline"?
Again, this boils down in my opinion to just the current user session
being cloned into a persisted "offline" session.
Admin console screens should be the same for "offline" and user
sessions. Main realm session screen has list of applications and the
number of their online and offline sessions. Same with the
application's session page.
The user session page has a list of sessions with an "offline" column
checked on or off. This is the same for user account page.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com