Offline tokens should really only be used when it's possible to securely
store the token. Web applications and locale storage are not the most
secure. I would certainly consider carefully what scope you provide in the
token to make sure it's not used for sensitive operations.
It also means that users would have to logout separately from the web app.
It's no longer covered by things like remember me, remote logout, etc..
You're providing a permanent "login" to a web app, which then a user has to
know to separately logout.
Devil is in the details though. For some web apps it may make sense, but
I'd be careful before going down that path.
On 6 February 2017 at 12:01, David Delbecq <david_delbecq(a)trimble.com>
wrote:
Could you elaborate on why this is a bad idea? This seems to be
dedicated
to the kind of request if have, getting a refresh token valid for a long
period, while keeping regular client with shorter refresh token.
On Fri, Feb 3, 2017 at 9:35 AM Stian Thorgersen <sthorger(a)redhat.com>
wrote:
> It's all controlled by the session and there are no way to get tokens
that
> work for longer. Issuing offline tokens to a web application would be a
> really bad idea. If you want users to remain authenticated set the idle
to
> a higher value. That's it.
>
> On 25 January 2017 at 15:09, David Delbecq <david_delbecq(a)trimble.com>
> wrote:
>
> Hello,
>
> we have a javascript web application we are migrating to keycloak. I am
not
> sue what are the recommandations on setting up configuration for that
> client with the following requirement:
>
> Once user triggers the "login" and gets keycloak authenticated, we should
> get a bearer token to use later on REST services.
> The user should not be requested again to login, unless he logs out. Even
> if he closes his browser. So we need a way to keep or replace token on a
> regular basis. Is there some keycloak REST service we can poll on a
regular
> basis for this?
> Sometimes the user goes "off grid" (no network communication) for several
> hours. How can we ensure we still keep logged in?
>
> My first idea was to just increase the SSO timeout and token validity to
30
> days. But it seems like a bad idea from my reading of keycloak
> documentation. So i tried to use an offline token instead, but it seems
the
> implicit flow doesn't allow you to get an offline token. All token i get
> after login are marked as expiring within 15 minutes.
>
> What's the recommended way to get long lived refresh token, using
implicit
> flow?
>
> --
> <
http://www.trimble.com/>
>
>
> David Delbecq
> Software engineer, Transport & Logistics
> Geldenaaksebaan 329, 1st floor | 3001 Leuven
>
> +32 16 391 121 <+32%2016%20391%20121> Direct
> david.delbecq(a)trimbletl.com
> <
http://www.trimbletl.com/>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> --
<
http://www.trimble.com/>
David Delbecq
Software engineer, Transport & Logistics
Geldenaaksebaan 329, 1st floor | 3001 Leuven
+32 16 391 121 <+32%2016%20391%20121> Direct
david.delbecq(a)trimbletl.com
<
http://www.trimbletl.com/>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user