Re: [keycloak-user] Refresh token - should it expire?
----- Original Message -----
From: "Juraci Paixão Kröhling" <juraci(a)kroehling.de>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org
Sent: Tuesday, 23 June, 2015 5:12:14 PM
Subject: Re: [keycloak-user] Refresh token - should it expire?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 06/23/2015 04:50 PM, Stian Thorgersen wrote:
> In the mean time you can set a high level for the sso expiration.
That would work for now, but note that if an user logs out or if the
session expires for some reason, the token is automatically deemed as
expired as well (invalid_grant, actually). So, it's not about the
token expiration itself, but about the session expiration:
http://git.io/vLAtF
Indeed that's the intent. All non-offline tokens are linked to the current users
session.
> When do you need to have a proper offline token?
Tough question :-) I'd say that we'd absolutely need this by
September/October, but of course, the sooner the better as it touches
an important part of the system.
We'll try to get it in for 1.5 - which should be end of August.
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJViXdOAAoJEDnJtskdmzLMNgEH/jfdVPJQyljkIbbxUlcxo3H3
9RBqzPtpb8142Ts6eJR1lwPg82KEjtycVjGuwggkJINPolhtgVploZPH9bKe7kiN
7GFAEPhT9FPSKUv09oIR1zz0hl9vu9G/Qv35UmWue1JCzTPtRlUYx9cYBS/Ze4Ps
+Y/tXgVbLwrx/y2xOVpAEH2giPuGP9VYYWNMCF3vnzISnLjhaEwEK91vHrfwWKEY
0+KAq7NDO40049FeFAMwsZ1AzlX+CoK54NdR1q7YQ8kAH88bweA8J/NnM6dySaTN
Omf6EsxJMWLMXA4Yya5r8ls+K0ZeyJrQqEw01qrTtpu8q1wp1rfrIk8zjknNZ1I=
=G+Um
-----END PGP SIGNATURE-----