An offline token would just be an access token with a long expiration time
right?
Isn't that a bit tricky from a security perspective and also from the fact
that you can't really invalidate the token? So all services would need to
check the token with the token introspection endpoint.
Could we fill the same use-case with some sort of reference token instead?
A short UUID that can be exchanged for a token using the token exchange
service perhaps?
On 13 March 2018 at 22:15, Bill Burke <bburke(a)redhat.com> wrote:
Correct me if I'm wrong, but we don't support the concept of
an
offline token right? Just an offline refresh token?
Probably something we will have to support as Kubernetes, Openshift,
and many of the social providers have a similar concept of a permanent
persisted access token.
--
Bill Burke
Red Hat
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev