The introspection specs has some support for refresh tokens and our impl
supports it too. You can even provide "token_type_hint" parameter and
use either the value "access_token" or "refresh_token" .
The offline token is not directly supported, but I am personally not
seeing an issue for us to be a bit more "clever" and lookup offline
sessions instead of online sessions in case that type of provided token
is offline token?
Marek
On 07/06/16 09:17, Stian Thorgersen wrote:
The token introspection endpoint is for access tokens though, not
refresh tokens and offline tokens. You should introspect an access
token retrieved using the offline token, not the offline token itself.
On 7 June 2016 at 08:35, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
Hi,
it seems that oauth2 token introspection specs doesn't have any
direct support for OIDC offline tokens. However you can possibly
create JIRA for it. Currently it seems we consider token as valid
just if there is "online" valid userSession. In case of
offlineToken, it should check "offline" session instead.
Marek
On 06/06/16 19:12, Jorge M. wrote:
> Hi,
>
> I'm using the oauth2 token introspection feature in order to
> validate and get info about tokens, however I'm not being able to
> get info of offline_tokens. Is that possible? Or does it make sense?
>
> Thank you,
> JM
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev