On 07/06/16 14:26, Jorge M. wrote:
That sounds good. Should I create a Jira ticket for this one?
Yes
By the way... We are planning to use offline tokens on native mobile
client apps. Basically the apps only use KC for authentication (using
aerogear oauth2). Do you think that a regular access_token is more
suitable for this scenario, rather than the offline token?
Depends on the use-case.
Access token is always valid just for few
minutes and can be used to invoke 3rd party REST services. When offline
token is just special type of refresh token. It can be used just for
refreshing and retrieve new accessTokens, but it can't be used to invoke
3rd party REST services. Only difference between offline token and
refresh token is, that offline token is long-lived and valid for days or
weeks. So once you authenticate to Keycloak and you have offlineToken,
you can use this offlineToken after a very long time to "refresh" and
retrieve new accessToken and then use this retrieved accessToken to
invoke 3rd party REST endpoints.
Marek
Thanks,
JM
2016-06-07 8:34 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com
<mailto:sthorger@redhat.com>>:
In that case +1 to support offline tokens.
On 7 June 2016 at 09:29, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
The introspection specs has some support for refresh tokens
and our impl supports it too. You can even provide
"token_type_hint" parameter and use either the value
"access_token" or "refresh_token" .
The offline token is not directly supported, but I am
personally not seeing an issue for us to be a bit more
"clever" and lookup offline sessions instead of online
sessions in case that type of provided token is offline token?
Marek
On 07/06/16 09:17, Stian Thorgersen wrote:
> The token introspection endpoint is for access tokens though,
> not refresh tokens and offline tokens. You should introspect
> an access token retrieved using the offline token, not the
> offline token itself.
>
> On 7 June 2016 at 08:35, Marek Posolda <mposolda(a)redhat.com
> <mailto:mposolda@redhat.com>> wrote:
>
> Hi,
>
> it seems that oauth2 token introspection specs doesn't
> have any direct support for OIDC offline tokens. However
> you can possibly create JIRA for it. Currently it seems
> we consider token as valid just if there is "online"
> valid userSession. In case of offlineToken, it should
> check "offline" session instead.
>
> Marek
>
>
> On 06/06/16 19:12, Jorge M. wrote:
>> Hi,
>>
>> I'm using the oauth2 token introspection feature in
>> order to validate and get info about tokens, however I'm
>> not being able to get info of offline_tokens. Is that
>> possible? Or does it make sense?
>>
>> Thank you,
>> JM
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> <mailto:keycloak-dev@lists.jboss.org>
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> <mailto:keycloak-dev@lists.jboss.org>
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>