1:12 p.m.
Hi,
I'm using the oauth2 token introspection feature in order to validate and
get info about tokens, however I'm not being able to get info of
offline_tokens. Is that possible? Or does it make sense?
Thank you,
JM
2:35 a.m.
Hi,
it seems that oauth2 token introspection specs doesn't have any direct
support for OIDC offline tokens. However you can possibly create JIRA
for it. Currently it seems we consider token as valid just if there is
"online" valid userSession. In case of offlineToken, it should check
"offline" session instead.
Marek
On 06/06/16 19:12, Jorge M. wrote:
Hi,
I'm using the oauth2 token introspection feature in order to validate
and get info about tokens, however I'm not being able to get info of
offline_tokens. Is that possible? Or does it make sense?
Thank you,
JM
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3:17 a.m.
The token introspection endpoint is for access tokens though, not refresh
tokens and offline tokens. You should introspect an access token retrieved
using the offline token, not the offline token itself.
On 7 June 2016 at 08:35, Marek Posolda <mposolda(a)redhat.com> wrote:
Hi,
it seems that oauth2 token introspection specs doesn't have any direct
support for OIDC offline tokens. However you can possibly create JIRA for
it. Currently it seems we consider token as valid just if there is "online"
valid userSession. In case of offlineToken, it should check "offline"
session instead.
Marek
On 06/06/16 19:12, Jorge M. wrote:
Hi,
I'm using the oauth2 token introspection feature in order to validate and
get info about tokens, however I'm not being able to get info of
offline_tokens. Is that possible? Or does it make sense?
Thank you,
JM
_______________________________________________
keycloak-dev mailing
listkeycloak-dev@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3:29 a.m.
The introspection specs has some support for refresh tokens and our impl
supports it too. You can even provide "token_type_hint" parameter and
use either the value "access_token" or "refresh_token" .
The offline token is not directly supported, but I am personally not
seeing an issue for us to be a bit more "clever" and lookup offline
sessions instead of online sessions in case that type of provided token
is offline token?
Marek
On 07/06/16 09:17, Stian Thorgersen wrote:
The token introspection endpoint is for access tokens though, not
refresh tokens and offline tokens. You should introspect an access
token retrieved using the offline token, not the offline token itself.
On 7 June 2016 at 08:35, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
Hi,
it seems that oauth2 token introspection specs doesn't have any
direct support for OIDC offline tokens. However you can possibly
create JIRA for it. Currently it seems we consider token as valid
just if there is "online" valid userSession. In case of
offlineToken, it should check "offline" session instead.
Marek
On 06/06/16 19:12, Jorge M. wrote:
> Hi,
>
> I'm using the oauth2 token introspection feature in order to
> validate and get info about tokens, however I'm not being able to
> get info of offline_tokens. Is that possible? Or does it make sense?
>
> Thank you,
> JM
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3:34 a.m.
In that case +1 to support offline tokens.
On 7 June 2016 at 09:29, Marek Posolda <mposolda(a)redhat.com> wrote:
The introspection specs has some support for refresh tokens and our
impl
supports it too. You can even provide "token_type_hint" parameter and use
either the value "access_token" or "refresh_token" .
The offline token is not directly supported, but I am personally not
seeing an issue for us to be a bit more "clever" and lookup offline
sessions instead of online sessions in case that type of provided token is
offline token?
Marek
On 07/06/16 09:17, Stian Thorgersen wrote:
The token introspection endpoint is for access tokens though, not refresh
tokens and offline tokens. You should introspect an access token retrieved
using the offline token, not the offline token itself.
On 7 June 2016 at 08:35, Marek Posolda <mposolda(a)redhat.com> wrote:
> Hi,
>
> it seems that oauth2 token introspection specs doesn't have any direct
> support for OIDC offline tokens. However you can possibly create JIRA for
> it. Currently it seems we consider token as valid just if there is
"online"
> valid userSession. In case of offlineToken, it should check "offline"
> session instead.
>
> Marek
>
>
> On 06/06/16 19:12, Jorge M. wrote:
>
> Hi,
>
> I'm using the oauth2 token introspection feature in order to validate and
> get info about tokens, however I'm not being able to get info of
> offline_tokens. Is that possible? Or does it make sense?
>
> Thank you,
> JM
>
>
> _______________________________________________
> keycloak-dev mailing
listkeycloak-dev@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
8:26 a.m.
That sounds good. Should I create a Jira ticket for this one?
By the way... We are planning to use offline tokens on native mobile client
apps. Basically the apps only use KC for authentication (using aerogear
oauth2). Do you think that a regular access_token is more suitable for this
scenario, rather than the offline token?
Thanks,
JM
2016-06-07 8:34 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com>:
In that case +1 to support offline tokens.
On 7 June 2016 at 09:29, Marek Posolda <mposolda(a)redhat.com> wrote:
> The introspection specs has some support for refresh tokens and our impl
> supports it too. You can even provide "token_type_hint" parameter and use
> either the value "access_token" or "refresh_token" .
>
> The offline token is not directly supported, but I am personally not
> seeing an issue for us to be a bit more "clever" and lookup offline
> sessions instead of online sessions in case that type of provided token is
> offline token?
>
> Marek
>
>
> On 07/06/16 09:17, Stian Thorgersen wrote:
>
> The token introspection endpoint is for access tokens though, not refresh
> tokens and offline tokens. You should introspect an access token retrieved
> using the offline token, not the offline token itself.
>
> On 7 June 2016 at 08:35, Marek Posolda <mposolda(a)redhat.com> wrote:
>
>> Hi,
>>
>> it seems that oauth2 token introspection specs doesn't have any direct
>> support for OIDC offline tokens. However you can possibly create JIRA for
>> it. Currently it seems we consider token as valid just if there is
"online"
>> valid userSession. In case of offlineToken, it should check "offline"
>> session instead.
>>
>> Marek
>>
>>
>> On 06/06/16 19:12, Jorge M. wrote:
>>
>> Hi,
>>
>> I'm using the oauth2 token introspection feature in order to validate
>> and get info about tokens, however I'm not being able to get info of
>> offline_tokens. Is that possible? Or does it make sense?
>>
>> Thank you,
>> JM
>>
>>
>> _______________________________________________
>> keycloak-dev mailing
listkeycloak-dev@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
>
12:44 p.m.
On 07/06/16 14:26, Jorge M. wrote:
That sounds good. Should I create a Jira ticket for this one?
Yes
By the way... We are planning to use offline tokens on native mobile
client apps. Basically the apps only use KC for authentication (using
aerogear oauth2). Do you think that a regular access_token is more
suitable for this scenario, rather than the offline token?
Depends on the use-case.
Access token is always valid just for few
minutes and can be used to invoke 3rd party REST services. When offline
token is just special type of refresh token. It can be used just for
refreshing and retrieve new accessTokens, but it can't be used to invoke
3rd party REST services. Only difference between offline token and
refresh token is, that offline token is long-lived and valid for days or
weeks. So once you authenticate to Keycloak and you have offlineToken,
you can use this offlineToken after a very long time to "refresh" and
retrieve new accessToken and then use this retrieved accessToken to
invoke 3rd party REST endpoints.
Marek
Thanks,
JM
2016-06-07 8:34 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com
<mailto:sthorger@redhat.com>>:
In that case +1 to support offline tokens.
On 7 June 2016 at 09:29, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
The introspection specs has some support for refresh tokens
and our impl supports it too. You can even provide
"token_type_hint" parameter and use either the value
"access_token" or "refresh_token" .
The offline token is not directly supported, but I am
personally not seeing an issue for us to be a bit more
"clever" and lookup offline sessions instead of online
sessions in case that type of provided token is offline token?
Marek
On 07/06/16 09:17, Stian Thorgersen wrote:
> The token introspection endpoint is for access tokens though,
> not refresh tokens and offline tokens. You should introspect
> an access token retrieved using the offline token, not the
> offline token itself.
>
> On 7 June 2016 at 08:35, Marek Posolda <mposolda(a)redhat.com
> <mailto:mposolda@redhat.com>> wrote:
>
> Hi,
>
> it seems that oauth2 token introspection specs doesn't
> have any direct support for OIDC offline tokens. However
> you can possibly create JIRA for it. Currently it seems
> we consider token as valid just if there is "online"
> valid userSession. In case of offlineToken, it should
> check "offline" session instead.
>
> Marek
>
>
> On 06/06/16 19:12, Jorge M. wrote:
>> Hi,
>>
>> I'm using the oauth2 token introspection feature in
>> order to validate and get info about tokens, however I'm
>> not being able to get info of offline_tokens. Is that
>> possible? Or does it make sense?
>>
>> Thank you,
>> JM
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> <mailto:keycloak-dev@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> <mailto:keycloak-dev@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
12:33 a.m.
Would you be able to send a PR for the issue? Looks like it should be
relatively simple to add.
I'm curious when you say it's only used for authentication. Authentication
to what? Are you not invoking any external services?
On 7 June 2016 at 14:26, Jorge M. <jm85martins(a)gmail.com> wrote:
That sounds good. Should I create a Jira ticket for this one?
By the way... We are planning to use offline tokens on native mobile
client apps. Basically the apps only use KC for authentication (using
aerogear oauth2). Do you think that a regular access_token is more suitable
for this scenario, rather than the offline token?
Thanks,
JM
2016-06-07 8:34 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com>:
> In that case +1 to support offline tokens.
>
> On 7 June 2016 at 09:29, Marek Posolda <mposolda(a)redhat.com> wrote:
>
>> The introspection specs has some support for refresh tokens and our impl
>> supports it too. You can even provide "token_type_hint" parameter and
use
>> either the value "access_token" or "refresh_token" .
>>
>> The offline token is not directly supported, but I am personally not
>> seeing an issue for us to be a bit more "clever" and lookup offline
>> sessions instead of online sessions in case that type of provided token is
>> offline token?
>>
>> Marek
>>
>>
>> On 07/06/16 09:17, Stian Thorgersen wrote:
>>
>> The token introspection endpoint is for access tokens though, not
>> refresh tokens and offline tokens. You should introspect an access token
>> retrieved using the offline token, not the offline token itself.
>>
>> On 7 June 2016 at 08:35, Marek Posolda <mposolda(a)redhat.com> wrote:
>>
>>> Hi,
>>>
>>> it seems that oauth2 token introspection specs doesn't have any direct
>>> support for OIDC offline tokens. However you can possibly create JIRA for
>>> it. Currently it seems we consider token as valid just if there is
"online"
>>> valid userSession. In case of offlineToken, it should check
"offline"
>>> session instead.
>>>
>>> Marek
>>>
>>>
>>> On 06/06/16 19:12, Jorge M. wrote:
>>>
>>> Hi,
>>>
>>> I'm using the oauth2 token introspection feature in order to validate
>>> and get info about tokens, however I'm not being able to get info of
>>> offline_tokens. Is that possible? Or does it make sense?
>>>
>>> Thank you,
>>> JM
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing
listkeycloak-dev@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>>
>>
>
2884
days inactive
2886
days old
7 comments
3 participants
participants (3)
-
Jorge M. -
Marek Posolda -
Stian Thorgersen