I'm not to keen on that idea.
offline is a standard scope in OIDC and an application requests this when first retrieving
the token. When an application retrieves a refresh token with the offline scope set it
should not be linked with the user session. Instead it should be stored permanently as the
application now should have permanent offline access to the users account. If a user
decides to revoke the applications access that should be done by going to the account
management console and viewing client that have access to their account. This page should
list all available clients, what clients have persisted grants, as well as what clients
have offline access to their account. From the same page they should be able to revoke
access from any client.
As user sessions are not persisted they are not suitable to store offline tokens. Offline
tokens will often have a very long expiration time, a year or even no expiration time at
all (only manual revoking).
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Wednesday, 1 April, 2015 4:53:45 PM
Subject: [keycloak-dev] offline access
Wanted to discuss again how offline access might be implemented. IMO,
offline access should be a REST api. Clients would request offline
access and the UserSession would be cloned and the ClientSession would
be cloned for that particular client. ID, Access token and refresh
token would also be regenerated and sent back with the response.
With this approach, the admin console and user account session
management pages will just work. These pages will just work they way
they already work with no extra changes.
Additionally, we would want to allow different session timeouts for
offline access.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev