Re: [keycloak-dev] Shouldn't external token by stored in UserSession?
It's not always specific to a UserSession. The tokens obtained from a provider may be
offline tokens to provide permanent access. For example if an application wants permanent
access to Google and Facebook those providers can be configured with the offline scope,
which would provide access even if the user didn't log-in the current session with
either of those providers.
A logged in user could have one token that's used to login a specific session, but
also a number of other tokens that have not been used to login the specific session, but
that has been used in the past, or was used when setting up the link initially.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Monday, 23 March, 2015 3:10:56 PM
Subject: [keycloak-dev] Shouldn't external token by stored in UserSession?
Why is the external token stored in actual user storage
(FederatedIdentityModel). The token is really something specific to the
UserSession and belongs there.
Also, there may not be one single item for "external token". For
example, OIDC has both an IDToken and access token. The IDToken is
actually used to perform a logout according to the OIDC logout profile.
Right now, our code is storing the AccessTokenResponse for OIDC, and the
entire login response for SAML.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev