Re: [keycloak-dev] Offline tokens - step 1
On 21/09/15 14:43, Bill Burke wrote:
On 9/21/2015 6:06 AM, Marek Posolda wrote:
> I've sent the PR . Right now it works like this:
>
> - ClientModel has flag "offlineTokensEnabled" . It's possible to
> retrieve offline tokens just if flag is enabled
>
> - Offline token is classic refresh token with 2 differences. It has type
> "OFFLINE" when normal refresh token has type "REFRESH" . And for
offline
> token, the expiration value is 0, so it never expires.
>
> - Offline token is generated by auth-server when client sends
> "scope=offline_access" . It's supported for classic browser flow, but
> also for Direct Grant flow or Service account flow.
>
> - I've added OfflineClientSessionModel and OfflineUserSessionModel with
> CRUD methods on UserModel. So when new offline token is generated by
> Keycloak, some info about current UserSession and ClientSession is
> persisted on UserModel. This means that offline token can be used to
> create new access token even if "normal" UserSession and ClientSession
> are already invalid or logged out.
>
You have to move this out of UserModel. UserModel may be backed 99% by
a UserFederationProvider. In the near future, UserFederationProvider
users may all sit in memory for only the lifetime of the session.
Does it makes sense to issue offline token for the users, which are
valid just for the lifetime of the session?
Marek