On Wed, Mar 14, 2018 at 8:51 AM, Stian Thorgersen <sthorger(a)redhat.com&gt; wrote: What you're saying is current offline access + new reference token would be functionally equivalent? I don't think so. With kub/openshift/social providers, you issue and revoke specific persistent access tokens through an admin UI/CLI, user service UI/CLI, or REST interface. Clients that obtain these tokens just use them to invoke and don't have to refresh them. Services that receive these as bearer tokens, though, are required to invoke on a validation endpoint as they are usually opaque. -- Bill Burke Red Hat

On Wed, Mar 14, 2018 at 10:55 AM, Schuster Sebastian (INST/ESY1) <Sebastian.Schuster(a)bosch-si.com&gt; wrote: Yes, that's how OIDC thinks of offline tokens and how we've implemented it. But facebook, kubernetes, openshift have the concept of a persistent token that can be used in bearer requests. Bill

I think facebook, kube and openshift have different requirements. They can use persistent tokens because they have complete control over their lifetime and they are targeted to be used within their environments. Facebook in particular acts as both AS and resource server. On Wed, Mar 14, 2018 at 1:02 PM, Bill Burke <bburke(a)redhat.com&gt; wrote:

On Wed, Mar 14, 2018 at 3:07 PM, Stian Thorgersen <sthorger(a)redhat.com&gt; wrote: This is just not how it works. Service Account tokens in Openshift/Kubernetes can be used as bearer tokens. Services that receive these bearer tokens call a validation endpoint (token review). The validation endpoint returns a JSON document with user info and group membership. Kubernetes additionally has a Authorization endpoint that can be invoked, but you pass in username, not a token, and the resources you want to access. BTW, this is how many OAuth implementations work. Access tokens are just opaque strings that must be validated and the only way to get information about the user is by invoking on a user info service. The keycloak/openshift integration requires keycloak to invoke on the OpenShift API server. The provider is configured with an Openshift service account token. The configured token is used as a bearer token. THERE IS NO REFRESH...EVER. Makes things really simple for the client. There are a lot of Keycloak users that jack up access token timeouts because they want permanent tokens. Managing token timeouts and refreshes is a pain in the ass. FYI, I'm not just pulling this out of my ass... :) Simo seems to think that this is a blocker for GA for keycloak/openshift integration. This is just not the same thing, sorry. Useful, but not the same thing.

On Fri, Mar 16, 2018 at 4:51 AM, Schuster Sebastian (INST/ESY1) <Sebastian.Schuster(a)bosch-si.com&gt; wrote: IMO, depends on the HTTP client framework too, not just the oauth one. I like things ridiculously simple though. -- Bill Burke Red Hat

I think supporting opaque tokens would be really great. Our security guys have concerns with self-contained tokens for some cases that might demand doing token signing in an HSM. Using opaque tokens is an alternative to that… Best regards, Sebastian Mit freundlichen Grüßen / Best regards Dr.-Ing. Sebastian Schuster Engineering and Support (INST/ESY1) Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com<http://www.bosch-si.com> Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster@bosch-si.com<mailto:Sebastian.Schuster@bosch-si.com> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn From: Stian Thorgersen [mailto:sthorger@redhat.com] Sent: Dienstag, 20. März 2018 21:47 To: Bill Burke <bburke(a)redhat.com&gt; Cc: Pedro Igor Silva <psilva(a)redhat.com>; Schuster Sebastian (INST/ESY1) <Sebastian.Schuster(a)bosch-si.com>; keycloak-dev <keycloak-dev(a)lists.jboss.org&gt; Subject: Re: [keycloak-dev] we do not support offline tokens Sounds like something we should add. Would it not just be a matter of allowing overriding the token expiration for specific clients? Perhaps also we should have the option for clients to obtain actually opaque tokens so they are forced to call the token introspection endpoint (or token review endpoint in OpenShift/Kube case). On 15 March 2018 at 03:12, Bill Burke <bburke@redhat.com<mailto:bburke@redhat.com>> wrote: On Wed, Mar 14, 2018 at 3:07 PM, Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>> wrote: This is just not how it works. Service Account tokens in Openshift/Kubernetes can be used as bearer tokens. Services that receive these bearer tokens call a validation endpoint (token review). The validation endpoint returns a JSON document with user info and group membership. Kubernetes additionally has a Authorization endpoint that can be invoked, but you pass in username, not a token, and the resources you want to access. BTW, this is how many OAuth implementations work. Access tokens are just opaque strings that must be validated and the only way to get information about the user is by invoking on a user info service. The keycloak/openshift integration requires keycloak to invoke on the OpenShift API server. The provider is configured with an Openshift service account token. The configured token is used as a bearer token. THERE IS NO REFRESH...EVER. Makes things really simple for the client. There are a lot of Keycloak users that jack up access token timeouts because they want permanent tokens. Managing token timeouts and refreshes is a pain in the ass. FYI, I'm not just pulling this out of my ass... :) Simo seems to think that this is a blocker for GA for keycloak/openshift integration. This is just not the same thing, sorry. Useful, but not the same thing.