I'm facing a similar problem like Haim Vana. I need offline access to
External IDP (Google). I meant, I need to read user's inbox in offline mode
(using external token), but the problem is that the token stored on
Keycloak is just access_token and there is no refresh_token and because of
that is not possible to get a new access_token from google without login
again.
I was searching a title about this and I found this message
explains a title
about the problem.*
*In general, is there a way to have offline access to external IDP? How
would I face this problem? please help me. *
On Mon, Sep 19, 2016 at 5:27 AM, Haim Vana <haimv(a)perfectomobile.com> wrote:
Hi,
I have combined the offline-access and the saml-broker-authentication
examples in order to create demo for generating offline tokens.
It works as expected with External IDP however when the user is already
logged in the offline token is not generated - a regular token is generated
instead.
Any idea if it as designed or am I doing something wrong ? if it is by
design is there any work around to generate the External IDP offline token
without user logout ?
Thanks,
Haim.
*From:* Stian Thorgersen [mailto:sthorger@redhat.com]
*Sent:* Tuesday, August 16, 2016 12:09 PM
*To:* Haim Vana <haimv(a)perfectomobile.com>
*Cc:* keycloak-user(a)lists.jboss.org
*Subject:* Re: [keycloak-user] Offline tokens with external IDP
On 16 August 2016 at 10:11, Haim Vana <haimv(a)perfectomobile.com> wrote:
Hi Stian,
Thanks for your answer.
What I meant to ask is how to create offline token for external IDP, I
wasn't able to it with REST API (I am able to it if it's not external IDP).
The only way I managed to do it was when adding offline_access to the UI
login page, so for external IDP – is it the only way ? REST API is not
supported ?
Login page is the only way for external IdPs.
Assuming it's the only way I thought to create external UI service for the
user to log in and get his offline token.
What do you think about such solution ? also if the user will be already
logged in – do you know if the offline token will be created ? or the will
have to logout and login again…
Depends on what your script is implemented in it can also start a web
server on localhost, then popup the browser window to do the login and
finally it'll get the code and can get the offline token directly itself.
Take a look at our customer-app-cli example. It doesn't do offline token,
but would be trivial to change it to do that instead.
Thanks,
Haim.
*From:* Stian Thorgersen [mailto:sthorger@redhat.com]
*Sent:* Tuesday, August 16, 2016 10:52 AM
*To:* Haim Vana <haimv(a)perfectomobile.com>
*Cc:* keycloak-user(a)lists.jboss.org
*Subject:* Re: [keycloak-user] Offline tokens with external IDP
On 25 July 2016 at 09:01, Haim Vana <haimv(a)perfectomobile.com> wrote:
Hi,
We are using KeyCloak for a several weeks now, one of the flows is user
script authentication with offline token:
1. The user log in to the UI
2. Generates offline token by entering his password again
3. Put the offline token in his script
4. Executes the script
Now we want to add external IDP support, first is it possible to generate
offline tokens for extremal IDP in KeyCloak ? if so how ?
Assuming you're using the Keycloak login screen it's just a matter of
configuring the external IdP as an identity broker provider and it will be
displayed as an option on the login screen.
Second in section #2 above the user enters his password to generate the
offline token, with external IDP we can’t use his password, one alternative
is to always generate the offline token in the login (add offline_access),
however is it make sense to create offline token for every login ?
You shouldn't create offline token for every login, just once for a new
user or once offline token is no longer valid.
Thanks,
Haim.
The information contained in this message is proprietary to the sender,
protected from disclosure, and may be privileged. The information is
intended to be conveyed only to the designated recipient(s) of the message.
If the reader of this message is not the intended recipient, you are hereby
notified that any dissemination, use, distribution or copying of this
communication is strictly prohibited and may be unlawful. If you have
received this communication in error, please notify us immediately by
replying to the message and deleting it from your computer. Thank you.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
<
https://emea01.safelinks.protection.outlook.com/?url=https%3a%2f%2flists....
The information contained in this message is proprietary to the sender,
protected from disclosure, and may be privileged. The information is
intended to be conveyed only to the designated recipient(s) of the message.
If the reader of this message is not the intended recipient, you are hereby
notified that any dissemination, use, distribution or copying of this
communication is strictly prohibited and may be unlawful. If you have
received this communication in error, please notify us immediately by
replying to the message and deleting it from your computer. Thank you.
The information contained in this message is proprietary to the sender,
protected from disclosure, and may be privileged. The information is
intended to be conveyed only to the designated recipient(s) of the message.
If the reader of this message is not the intended recipient, you are hereby
notified that any dissemination, use, distribution or copying of this
communication is strictly prohibited and may be unlawful. If you have
received this communication in error, please notify us immediately by
replying to the message and deleting it from your computer. Thank you.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Carlos E. Feria Vila