----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Bill Burke" <bburke(a)redhat.com>, keycloak-dev(a)lists.jboss.org
Sent: Monday, 31 August, 2015 3:06:48 PM
Subject: Re: [keycloak-dev] Offline tokens
Actually KEYCLOAK_IDENTITY cookie is persistent just for the configured
idle timeout (like 30 minutes). But for the offline token, I imagine we
want to support the scenario when user authenticates to his application
after a week of inactivity or so.
You sure - is it not the SSO max lifespan?
Here I meant the cookie will be on the application side, not on the KC
side. When user opens his browser and goes to
, the application (adapter) side
will read the offline token from the persistent cookie and then login
user based on that.
The offline token is for a background process or server, so there shouldn't be a
persistent cookie. A example flow for a backup application could be:
1. User logs in to backup application
2. App redirects to KC login with scope=offline
3. Backup application stores the offline token in a database
4. Users logs out of KC SSO
5. Backup application now wants to execute a backup, it will then retrieve the offline
token from the database, send it to Keycloak to obtain an access token, then invoke the
6. Users opens backup application again and clicks login
7. User is again presented with login screen (as the user isn't logged-in, even though
the backup application has offline access)
8. User is now logged-in to backup application and can change settings
On 21/08/15 14:50, Bill Burke wrote:
> On 8/21/2015 8:09 AM, Marek Posolda wrote:
>> - Actually, for the frontend adapters (both server and keycloak.js ) I
>> am thinking about adding the persistent cookie, which will be put on the
>> application after successful login and is valid for the same time like
>> the offline token (so couple of months). When browser is opened next
>> time, the adapter will find the cookie and send the validation request
>> to KC to check if offline token is still valid. This will allow the
>> browser application to be logged with the same offline token for couple
>> of months.
> I don't understand why you need an offline token for browser
> applications. We already support persistent cookies.
keycloak-dev mailing list