----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
Sent: Friday, 21 August, 2015 1:30:16 PM
Subject: [keycloak-dev] Offline tokens
Some thoughts around offline tokens impl:
- Client has switch "Allow offline tokens" . Offline token can be
requested just if the switch is enabled
- Offline token can be requested if parameter "scope=offline" is sent.
Offline token is sent alone, no IDToken or refreshToken is sent together
Question: Should be offline tokens available just for
ResourceOwnerPasswordCredentials and ServiceAccounts or also for classic
web based authorization code flow?
An offline token is just a refresh token, but without any expiration. For an offline token
the response should be exactly the same as a non-offline token, except the refresh token
has no expiration time.
- There are methods on UserModel to track which offline tokens were
issued for particular user. Like:
void addOfflineToken(String offlineToken);
void removeOfflineToken(String offlineToken);
- Offline token will never expire. Or should we eventually add another
timeout for offline token (With some big default value like 1 month or so)?
Shouldn't expire, it's a permanent access until manually revoked
- Offline token is not refreshable.
Not sure what you mean, but a offline token is a refresh token without expiration. An
offline token should never be sent to a service, instead it should be used to obtain an
- Offline token can be validated by current OIDC endpoint for token
validation. Offline token is not valid if UserModel doesn't have token
anymore on it. But offline token is still valid even if corresponding
UserSession doesn't exist. So we can still have offline tokens valid for
1 year even if SsoSessionMaxLifespan is just 10 hours.
OIDC endpoint for token validation validates an access token, not the refresh token. So I
don't think it should be possible to validate it.
- Offline token can be logged out. Logout will remove offline token from
Not sure what this means - an offline token can be revoked by a user. There's no log
out as such.
- In Account management applications page can user see list of offline
tokens issued for individual clients and he can revoke them. Not sure if
put another "Revoke offline token" or use current "Revoke grant"
which will revoke both consents and offline tokens?
Each application should have a list of what access it has. Where offline access is one of
the "permissions" the app has. Each application should have a single button
"Revoke application access", which removes grants as well as invalidates all
- Admin can see the offline tokens for user in admin console and can
revoke them too . Current button "Logout All" in sessions tab will
revoke offline tokens from all users . For performance reasons, we may
need method on UserProvider, so it's possible to clean whole DB table
"OFFLINE_TOKEN" (similarly for mongo) instead of iterating through all
"Logout All" in sessions tabs should not revoke offline tokens.
- For adapters, we should likely have an option, so the REST endpoint
adapter has possibility to validate offline token by always sending
validation request to KC server. We didn't need it for access tokens,
which are valid just for 1 minute or so, but offline tokens are long
lived so adapter should have this possibility IMO.
Again, offline tokens should not be sent to services. Instead they should send access
tokens that are obtained from an offline token.
keycloak-dev mailing list