1:30 p.m.
Some thoughts around offline tokens impl:
- Client has switch "Allow offline tokens" . Offline token can be
requested just if the switch is enabled
- Offline token can be requested if parameter "scope=offline" is sent.
Offline token is sent alone, no IDToken or refreshToken is sent together
with it.
Question: Should be offline tokens available just for
ResourceOwnerPasswordCredentials and ServiceAccounts or also for classic
web based authorization code flow?
- There are methods on UserModel to track which offline tokens were
issued for particular user. Like:
List<String> getOfflineTokens();
void addOfflineToken(String offlineToken);
void removeOfflineToken(String offlineToken);
- Offline token will never expire. Or should we eventually add another
timeout for offline token (With some big default value like 1 month or so)?
- Offline token is not refreshable.
- Offline token can be validated by current OIDC endpoint for token
validation. Offline token is not valid if UserModel doesn't have token
anymore on it. But offline token is still valid even if corresponding
UserSession doesn't exist. So we can still have offline tokens valid for
1 year even if SsoSessionMaxLifespan is just 10 hours.
- Offline token can be logged out. Logout will remove offline token from
corresponding UserModel.
- In Account management applications page can user see list of offline
tokens issued for individual clients and he can revoke them. Not sure if
put another "Revoke offline token" or use current "Revoke grant"
action,
which will revoke both consents and offline tokens?
- Admin can see the offline tokens for user in admin console and can
revoke them too . Current button "Logout All" in sessions tab will
revoke offline tokens from all users . For performance reasons, we may
need method on UserProvider, so it's possible to clean whole DB table
"OFFLINE_TOKEN" (similarly for mongo) instead of iterating through all
users.
- For adapters, we should likely have an option, so the REST endpoint
adapter has possibility to validate offline token by always sending
validation request to KC server. We didn't need it for access tokens,
which are valid just for 1 minute or so, but offline tokens are long
lived so adapter should have this possibility IMO.
WDYT?
Marek
2:09 p.m.
On 21/08/15 13:30, Marek Posolda wrote:
Some thoughts around offline tokens impl:
- Client has switch "Allow offline tokens" . Offline token can be
requested just if the switch is enabled
- Offline token can be requested if parameter "scope=offline" is sent.
Offline token is sent alone, no IDToken or refreshToken is sent together
with it.
Question: Should be offline tokens available just for
ResourceOwnerPasswordCredentials and ServiceAccounts or also for classic
web based authorization code flow?
- There are methods on UserModel to track which offline tokens were
issued for particular user. Like:
List<String> getOfflineTokens();
void addOfflineToken(String offlineToken);
void removeOfflineToken(String offlineToken);
- Offline token will never expire. Or should we eventually add another
timeout for offline token (With some big default value like 1 month or so)?
- Offline token is not refreshable.
- Offline token can be validated by current OIDC endpoint for token
validation. Offline token is not valid if UserModel doesn't have token
anymore on it. But offline token is still valid even if corresponding
UserSession doesn't exist. So we can still have offline tokens valid for
1 year even if SsoSessionMaxLifespan is just 10 hours.
- Offline token can be logged out. Logout will remove offline token from
corresponding UserModel.
- In Account management applications page can user see list of offline
tokens issued for individual clients and he can revoke them. Not sure if
put another "Revoke offline token" or use current "Revoke grant"
action,
which will revoke both consents and offline tokens?
- Admin can see the offline tokens for user in admin console and can
revoke them too . Current button "Logout All" in sessions tab will
revoke offline tokens from all users . For performance reasons, we may
need method on UserProvider, so it's possible to clean whole DB table
"OFFLINE_TOKEN" (similarly for mongo) instead of iterating through all
users.
- For adapters, we should likely have an option, so the REST endpoint
adapter has possibility to validate offline token by always sending
validation request to KC server. We didn't need it for access tokens,
which are valid just for 1 minute or so, but offline tokens are long
lived so adapter should have this possibility IMO.
- Actually, for the frontend
adapters (both server and keycloak.js ) I
am thinking about adding the persistent cookie, which will be put on the
application after successful login and is valid for the same time like
the offline token (so couple of months). When browser is opened next
time, the adapter will find the cookie and send the validation request
to KC to check if offline token is still valid. This will allow the
browser application to be logged with the same offline token for couple
of months.
I also wonder if we should put the IP address checking when validating
offline token (Offline token is valid just if validation request come
from same address like the original request) ?
Mare
WDYT?
Marek
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2:50 p.m.
On 8/21/2015 8:09 AM, Marek Posolda wrote:
- Actually, for the frontend adapters (both server and keycloak.js )
I
am thinking about adding the persistent cookie, which will be put on the
application after successful login and is valid for the same time like
the offline token (so couple of months). When browser is opened next
time, the adapter will find the cookie and send the validation request
to KC to check if offline token is still valid. This will allow the
browser application to be logged with the same offline token for couple
of months.
I don't understand why you need an offline token for browser
applications. We already support persistent cookies.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
2:58 p.m.
On 8/21/2015 8:50 AM, Bill Burke wrote:
On 8/21/2015 8:09 AM, Marek Posolda wrote:
> - Actually, for the frontend adapters (both server and keycloak.js ) I
> am thinking about adding the persistent cookie, which will be put on the
> application after successful login and is valid for the same time like
> the offline token (so couple of months). When browser is opened next
> time, the adapter will find the cookie and send the validation request
> to KC to check if offline token is still valid. This will allow the
> browser application to be logged with the same offline token for couple
> of months.
>
I don't understand why you need an offline token for browser
applications. We already support persistent cookies.
IMO, but Stian disgreed IIRC, is that what would be needed would be a
persistent UserSessionModel/ClientSessionModel store. If an offline
token is requested, then the current UserSessionModel is cloned and
stored persistently and the client's accesstoken/refresh token
references this cloned persistent UserSession/ClientSession. Then you
don't have to have any special UI in the admin console to manage offline
sessions. These sessions would just have a flag showing if they are
offline or not.
I just don't like the idea at all of creating a completely parallel and
redundant model that is a near duplicate of UserSession/ClientSession.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3:06 p.m.
Actually KEYCLOAK_IDENTITY cookie is persistent just for the configured
idle timeout (like 30 minutes). But for the offline token, I imagine we
want to support the scenario when user authenticates to his application
after a week of inactivity or so.
Here I meant the cookie will be on the application side, not on the KC
side. When user opens his browser and goes to
http://localhost:8080/customer-portal , the application (adapter) side
will read the offline token from the persistent cookie and then login
user based on that.
Marek
On 21/08/15 14:50, Bill Burke wrote:
On 8/21/2015 8:09 AM, Marek Posolda wrote:
> - Actually, for the frontend adapters (both server and keycloak.js ) I
> am thinking about adding the persistent cookie, which will be put on the
> application after successful login and is valid for the same time like
> the offline token (so couple of months). When browser is opened next
> time, the adapter will find the cookie and send the validation request
> to KC to check if offline token is still valid. This will allow the
> browser application to be logged with the same offline token for couple
> of months.
>
I don't understand why you need an offline token for browser
applications. We already support persistent cookies.
3:17 p.m.
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Bill Burke" <bburke(a)redhat.com>, keycloak-dev(a)lists.jboss.org
Sent: Monday, 31 August, 2015 3:06:48 PM
Subject: Re: [keycloak-dev] Offline tokens
Actually KEYCLOAK_IDENTITY cookie is persistent just for the configured
idle timeout (like 30 minutes). But for the offline token, I imagine we
want to support the scenario when user authenticates to his application
after a week of inactivity or so.
You sure - is it not the SSO max lifespan?
Here I meant the cookie will be on the application side, not on the KC
side. When user opens his browser and goes to
http://localhost:8080/customer-portal , the application (adapter) side
will read the offline token from the persistent cookie and then login
user based on that.
The offline token is for a background process or server, so there shouldn't be a
persistent cookie. A example flow for a backup application could be:
1. User logs in to backup application
2. App redirects to KC login with scope=offline
3. Backup application stores the offline token in a database
4. Users logs out of KC SSO
5. Backup application now wants to execute a backup, it will then retrieve the offline
token from the database, send it to Keycloak to obtain an access token, then invoke the
data service
6. Users opens backup application again and clicks login
7. User is again presented with login screen (as the user isn't logged-in, even though
the backup application has offline access)
8. User is now logged-in to backup application and can change settings
Marek
On 21/08/15 14:50, Bill Burke wrote:
>
> On 8/21/2015 8:09 AM, Marek Posolda wrote:
>> - Actually, for the frontend adapters (both server and keycloak.js ) I
>> am thinking about adding the persistent cookie, which will be put on the
>> application after successful login and is valid for the same time like
>> the offline token (so couple of months). When browser is opened next
>> time, the adapter will find the cookie and send the validation request
>> to KC to check if offline token is still valid. This will allow the
>> browser application to be logged with the same offline token for couple
>> of months.
>>
> I don't understand why you need an offline token for browser
> applications. We already support persistent cookies.
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3:34 p.m.
On 31/08/15 15:17, Stian Thorgersen wrote:
----- Original Message -----
> From: "Marek Posolda" <mposolda(a)redhat.com>
> To: "Bill Burke" <bburke(a)redhat.com>, keycloak-dev(a)lists.jboss.org
> Sent: Monday, 31 August, 2015 3:06:48 PM
> Subject: Re: [keycloak-dev] Offline tokens
>
> Actually KEYCLOAK_IDENTITY cookie is persistent just for the configured
> idle timeout (like 30 minutes). But for the offline token, I imagine we
> want to support the scenario when user authenticates to his application
> after a week of inactivity or so.
You sure - is it not the SSO max lifespan?
You're right. I failed to read the
code, 1st day after pto ;-)
> Here I meant the cookie will be on the application side, not on the KC
> side. When user opens his browser and goes to
> http://localhost:8080/customer-portal , the application (adapter) side
> will read the offline token from the persistent cookie and then login
> user based on that.
The offline token is for a background process or server, so there shouldn't be a
persistent cookie. A example flow for a backup application could be:
1. User logs in to backup application
2. App redirects to KC login with scope=offline
3. Backup application stores the offline token in a database
4. Users logs out of KC SSO
5. Backup application now wants to execute a backup, it will then retrieve the offline
token from the database, send it to Keycloak to obtain an access token, then invoke the
data service
6. Users opens backup application again and clicks login
7. User is again presented with login screen (as the user isn't logged-in, even
though the backup application has offline access)
8. User is now logged-in to backup application and can change settings
Ah, ok. So
SSO logout won't automatically invalidate offline token. User
would need to do it in account management.
Marek
> Marek
>
>
> On 21/08/15 14:50, Bill Burke wrote:
>> On 8/21/2015 8:09 AM, Marek Posolda wrote:
>>> - Actually, for the frontend adapters (both server and keycloak.js ) I
>>> am thinking about adding the persistent cookie, which will be put on the
>>> application after successful login and is valid for the same time like
>>> the offline token (so couple of months). When browser is opened next
>>> time, the adapter will find the cookie and send the validation request
>>> to KC to check if offline token is still valid. This will allow the
>>> browser application to be logged with the same offline token for couple
>>> of months.
>>>
>> I don't understand why you need an offline token for browser
>> applications. We already support persistent cookies.
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
11:38 a.m.
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Friday, 21 August, 2015 2:09:31 PM
Subject: Re: [keycloak-dev] Offline tokens
On 21/08/15 13:30, Marek Posolda wrote:
> Some thoughts around offline tokens impl:
>
> - Client has switch "Allow offline tokens" . Offline token can be
> requested just if the switch is enabled
>
> - Offline token can be requested if parameter "scope=offline" is sent.
> Offline token is sent alone, no IDToken or refreshToken is sent together
> with it.
> Question: Should be offline tokens available just for
> ResourceOwnerPasswordCredentials and ServiceAccounts or also for classic
> web based authorization code flow?
>
> - There are methods on UserModel to track which offline tokens were
> issued for particular user. Like:
>
> List<String> getOfflineTokens();
> void addOfflineToken(String offlineToken);
> void removeOfflineToken(String offlineToken);
>
> - Offline token will never expire. Or should we eventually add another
> timeout for offline token (With some big default value like 1 month or so)?
>
> - Offline token is not refreshable.
>
> - Offline token can be validated by current OIDC endpoint for token
> validation. Offline token is not valid if UserModel doesn't have token
> anymore on it. But offline token is still valid even if corresponding
> UserSession doesn't exist. So we can still have offline tokens valid for
> 1 year even if SsoSessionMaxLifespan is just 10 hours.
>
> - Offline token can be logged out. Logout will remove offline token from
> corresponding UserModel.
>
> - In Account management applications page can user see list of offline
> tokens issued for individual clients and he can revoke them. Not sure if
> put another "Revoke offline token" or use current "Revoke grant"
action,
> which will revoke both consents and offline tokens?
>
> - Admin can see the offline tokens for user in admin console and can
> revoke them too . Current button "Logout All" in sessions tab will
> revoke offline tokens from all users . For performance reasons, we may
> need method on UserProvider, so it's possible to clean whole DB table
> "OFFLINE_TOKEN" (similarly for mongo) instead of iterating through all
> users.
>
> - For adapters, we should likely have an option, so the REST endpoint
> adapter has possibility to validate offline token by always sending
> validation request to KC server. We didn't need it for access tokens,
> which are valid just for 1 minute or so, but offline tokens are long
> lived so adapter should have this possibility IMO.
- Actually, for the frontend adapters (both server and keycloak.js ) I
am thinking about adding the persistent cookie, which will be put on the
application after successful login and is valid for the same time like
the offline token (so couple of months). When browser is opened next
time, the adapter will find the cookie and send the validation request
to KC to check if offline token is still valid. This will allow the
browser application to be logged with the same offline token for couple
of months.
I also wonder if we should put the IP address checking when validating
offline token (Offline token is valid just if validation request come
from same address like the original request) ?
JS adapters shouldn't use offline tokens. Offline tokens are to give servers permanent
offline access to a users account. Only confidential clients should be able to use this.
Mare
>
> WDYT?
>
> Marek
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2:15 p.m.
Hi Marek - My two cents on this:
1) Offline tokens can be long lived but must have a way of revoking them. If they are
requested by users (see the openid connect spec below), the life should be of shorter
duration (a week?) but if they are requested by clients then they can be of much longer
duration (upto a year) but there should be a mechanism to refresh/revoke.
http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
Thanks,Raghu
From: Marek Posolda <mposolda(a)redhat.com>
To: "keycloak-dev(a)lists.jboss.org" <keycloak-dev(a)lists.jboss.org>
Sent: Friday, August 21, 2015 7:30 AM
Subject: [keycloak-dev] Offline tokens
Some thoughts around offline tokens impl:
- Client has switch "Allow offline tokens" . Offline token can be
requested just if the switch is enabled
- Offline token can be requested if parameter "scope=offline" is sent.
Offline token is sent alone, no IDToken or refreshToken is sent together
with it.
Question: Should be offline tokens available just for
ResourceOwnerPasswordCredentials and ServiceAccounts or also for classic
web based authorization code flow?
- There are methods on UserModel to track which offline tokens were
issued for particular user. Like:
List<String> getOfflineTokens();
void addOfflineToken(String offlineToken);
void removeOfflineToken(String offlineToken);
- Offline token will never expire. Or should we eventually add another
timeout for offline token (With some big default value like 1 month or so)?
- Offline token is not refreshable.
- Offline token can be validated by current OIDC endpoint for token
validation. Offline token is not valid if UserModel doesn't have token
anymore on it. But offline token is still valid even if corresponding
UserSession doesn't exist. So we can still have offline tokens valid for
1 year even if SsoSessionMaxLifespan is just 10 hours.
- Offline token can be logged out. Logout will remove offline token from
corresponding UserModel.
- In Account management applications page can user see list of offline
tokens issued for individual clients and he can revoke them. Not sure if
put another "Revoke offline token" or use current "Revoke grant"
action,
which will revoke both consents and offline tokens?
- Admin can see the offline tokens for user in admin console and can
revoke them too . Current button "Logout All" in sessions tab will
revoke offline tokens from all users . For performance reasons, we may
need method on UserProvider, so it's possible to clean whole DB table
"OFFLINE_TOKEN" (similarly for mongo) instead of iterating through all
users.
- For adapters, we should likely have an option, so the REST endpoint
adapter has possibility to validate offline token by always sending
validation request to KC server. We didn't need it for access tokens,
which are valid just for 1 minute or so, but offline tokens are long
lived so adapter should have this possibility IMO.
WDYT?
Marek
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2:27 p.m.
Marek,
On 08/21/2015 01:30 PM, Marek Posolda wrote:
- Offline token can be requested if parameter
"scope=offline" is sent.
Offline token is sent alone, no IDToken or refreshToken is sent together
with it.
Question: Should be offline tokens available just for
ResourceOwnerPasswordCredentials and ServiceAccounts or also for classic
web based authorization code flow?
Not quite sure what ResourceOwnerPasswordCredentials is (is it something
new?), but I think that having the possibility of requesting an offline
token based on a bearer token is desirable. In my case, I intend to have
a "token exchange proxy", where the end user would create API keys for
the agent. This API key is an UUID, that relates to a token that I'd
store in Hawkular's backend. Whenever I get this token, I retrieve the
offline token and use it for backend operations, as if the user were online.
This means: I don't intend to have access to the user's password at any
point when creating or sending offline tokens.
- Offline token will never expire. Or should we eventually add
another
timeout for offline token (With some big default value like 1 month or so)?
It should never expire. Or at most, there should be a setting for the
realm/client that would allow the offline token to never expire. It can,
however, be revoked.
- Offline token can be validated by current OIDC endpoint for token
validation. Offline token is not valid if UserModel doesn't have token
anymore on it. But offline token is still valid even if corresponding
UserSession doesn't exist. So we can still have offline tokens valid for
1 year even if SsoSessionMaxLifespan is just 10 hours.
+1
- Offline token can be logged out. Logout will remove offline token
from
corresponding UserModel.
I guess this is the revoked part I mentioned above, right?
- In Account management applications page can user see list of
offline
tokens issued for individual clients and he can revoke them. Not sure if
put another "Revoke offline token" or use current "Revoke grant"
action,
which will revoke both consents and offline tokens?
Not sure what would be the difference there. The consent is linked to
the client, while the offline token would be a session, right? If so,
I'd revoke only the token itself.
- Admin can see the offline tokens for user in admin console and can
revoke them too . Current button "Logout All" in sessions tab will
revoke offline tokens from all users . For performance reasons, we may
need method on UserProvider, so it's possible to clean whole DB table
"OFFLINE_TOKEN" (similarly for mongo) instead of iterating through all
users.
+1
- For adapters, we should likely have an option, so the REST
endpoint
adapter has possibility to validate offline token by always sending
validation request to KC server. We didn't need it for access tokens,
which are valid just for 1 minute or so, but offline tokens are long
lived so adapter should have this possibility IMO.
+1
- Juca.
2:32 p.m.
On Fri, Aug 21, 2015 at 3:27 PM, Juraci Paixão Kröhling <juraci(a)kroehling.de
wrote:
> - Offline token will never expire. Or should we eventually add
another
> timeout for offline token (With some big default value like 1 month or
so)?
It should never expire. Or at most, there should be a setting for the
realm/client that would allow the offline token to never expire. It can,
however, be revoked.
+1 from me too, or at least it should be possible to use NEVER in the
timeout configuration.
Best regards,
Thomas
5:37 p.m.
Hi Juca,
On 21/08/15 14:27, Juraci Paixão Kröhling wrote:
Marek,
On 08/21/2015 01:30 PM, Marek Posolda wrote:
> - Offline token can be requested if parameter "scope=offline" is sent.
> Offline token is sent alone, no IDToken or refreshToken is sent together
> with it.
> Question: Should be offline tokens available just for
> ResourceOwnerPasswordCredentials and ServiceAccounts or also for classic
> web based authorization code flow?
Not quite sure what ResourceOwnerPasswordCredentials is (is it something
new?),
It's just different name for "Direct access grant" which you
are already
aware I guess :-)
See docs
http://keycloak.github.io/docs/userguide/html/direct-access-grants.html
. Actually "Resource owner password credentials" is the term used by
OAuth2 specs, but we used the term "Direct access grant" for some reason...
but I think that having the possibility of requesting an offline
token based on a bearer token is desirable. In my case, I intend to have
a "token exchange proxy", where the end user would create API keys for
the agent. This API key is an UUID, that relates to a token that I'd
store in Hawkular's backend. Whenever I get this token, I retrieve the
offline token and use it for backend operations, as if the user were online.
This means: I don't intend to have access to the user's password at any
point when creating or sending offline tokens.
Actually it will likely work in a
way, that offline token is "special"
refresh token, which will never expire. So when you login with the user,
you will receive offline token instead of classic refresh token. You can
then store this offline token itself in your DB and use it later (next
day or so) to obtain access token, which would then be possible to use
against REST services.
So the condition "I don't intend to have access to the user's password
at any point when creating or sending offline tokens." will be met.
Marek
> - Offline token will never expire. Or should we eventually add another
> timeout for offline token (With some big default value like 1 month or so)?
It should never expire. Or at most, there should be a setting for the
realm/client that would allow the offline token to never expire. It can,
however, be revoked.
> - Offline token can be validated by current OIDC endpoint for token
> validation. Offline token is not valid if UserModel doesn't have token
> anymore on it. But offline token is still valid even if corresponding
> UserSession doesn't exist. So we can still have offline tokens valid for
> 1 year even if SsoSessionMaxLifespan is just 10 hours.
+1
> - Offline token can be logged out. Logout will remove offline token from
> corresponding UserModel.
I guess this is the revoked part I mentioned above, right?
> - In Account management applications page can user see list of offline
> tokens issued for individual clients and he can revoke them. Not sure if
> put another "Revoke offline token" or use current "Revoke grant"
action,
> which will revoke both consents and offline tokens?
Not sure what would be the difference there. The consent is linked to
the client, while the offline token would be a session, right? If so,
I'd revoke only the token itself.
> - Admin can see the offline tokens for user in admin console and can
> revoke them too . Current button "Logout All" in sessions tab will
> revoke offline tokens from all users . For performance reasons, we may
> need method on UserProvider, so it's possible to clean whole DB table
> "OFFLINE_TOKEN" (similarly for mongo) instead of iterating through all
> users.
+1
> - For adapters, we should likely have an option, so the REST endpoint
> adapter has possibility to validate offline token by always sending
> validation request to KC server. We didn't need it for access tokens,
> which are valid just for 1 minute or so, but offline tokens are long
> lived so adapter should have this possibility IMO.
+1
- Juca.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
11:37 a.m.
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Friday, 21 August, 2015 1:30:16 PM
Subject: [keycloak-dev] Offline tokens
Some thoughts around offline tokens impl:
- Client has switch "Allow offline tokens" . Offline token can be
requested just if the switch is enabled
- Offline token can be requested if parameter "scope=offline" is sent.
Offline token is sent alone, no IDToken or refreshToken is sent together
with it.
Question: Should be offline tokens available just for
ResourceOwnerPasswordCredentials and ServiceAccounts or also for classic
web based authorization code flow?
An offline token is just a refresh token, but without any expiration. For an offline token
the response should be exactly the same as a non-offline token, except the refresh token
has no expiration time.
- There are methods on UserModel to track which offline tokens were
issued for particular user. Like:
List<String> getOfflineTokens();
void addOfflineToken(String offlineToken);
void removeOfflineToken(String offlineToken);
- Offline token will never expire. Or should we eventually add another
timeout for offline token (With some big default value like 1 month or so)?
Shouldn't expire, it's a permanent access until manually revoked
- Offline token is not refreshable.
Not sure what you mean, but a offline token is a refresh token without expiration. An
offline token should never be sent to a service, instead it should be used to obtain an
access token.
- Offline token can be validated by current OIDC endpoint for token
validation. Offline token is not valid if UserModel doesn't have token
anymore on it. But offline token is still valid even if corresponding
UserSession doesn't exist. So we can still have offline tokens valid for
1 year even if SsoSessionMaxLifespan is just 10 hours.
OIDC endpoint for token validation validates an access token, not the refresh token. So I
don't think it should be possible to validate it.
- Offline token can be logged out. Logout will remove offline token from
corresponding UserModel.
Not sure what this means - an offline token can be revoked by a user. There's no log
out as such.
- In Account management applications page can user see list of offline
tokens issued for individual clients and he can revoke them. Not sure if
put another "Revoke offline token" or use current "Revoke grant"
action,
which will revoke both consents and offline tokens?
Each application should have a list of what access it has. Where offline access is one of
the "permissions" the app has. Each application should have a single button
"Revoke application access", which removes grants as well as invalidates all
offline tokens.
- Admin can see the offline tokens for user in admin console and can
revoke them too . Current button "Logout All" in sessions tab will
revoke offline tokens from all users . For performance reasons, we may
need method on UserProvider, so it's possible to clean whole DB table
"OFFLINE_TOKEN" (similarly for mongo) instead of iterating through all
users.
"Logout All" in sessions tabs should not revoke offline tokens.
- For adapters, we should likely have an option, so the REST endpoint
adapter has possibility to validate offline token by always sending
validation request to KC server. We didn't need it for access tokens,
which are valid just for 1 minute or so, but offline tokens are long
lived so adapter should have this possibility IMO.
Again, offline tokens should not be sent to services. Instead they should send access
tokens that are obtained from an offline token.
WDYT?
Marek
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3154
days inactive
3164
days old
12 comments
6 participants
participants (6)
-
Bill Burke -
Juraci Paixão Kröhling -
Marek Posolda -
Raghu Prabhala -
Stian Thorgersen -
Thomas Raehalme