Hi Marek,
Apologies for the delayed reply. The examples work! It turns out it was
an error with my how I was defining and encoding the the scope. The
difference between
scope=['openid', 'offline_access']
and
scope='openid offline_access'
What was/is a problem? was that first scope declaration was valid and an
access token was granted.
In any case, thank you again for helping me debug my error.
--Ben
On Wed, Mar 29, 2017 at 12:50 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
Do you have a chance to try the example I pointed and see if it works
as
expected?
Marek
On 29/03/17 21:13, Benjamin Zaitlen wrote:
Hi Marek,
Thanks for the response. I am saving the token for APP2. The behavior
I'm observing is that after the SSO Logout, the offline token access is
revoked, and the previously saved token is no longer value. Perhaps I'm
doing something incorrectly. This is also on 2.5.X
--Ben
On Wed, Mar 29, 2017 at 1:28 PM, Marek Posolda <mposolda(a)redhat.com>
wrote:
> On 29/03/17 13:43, Benjamin Zaitlen wrote:
>
>> Any thoughts on this?
>>
>> --Ben
>>
>> On Fri, Mar 24, 2017 at 5:20 PM, Benjamin Zaitlen <quasiben(a)gmail.com>
>> wrote:
>>
>> Hi All,
>>>
>>> I'm having some trouble with sessions, clients, and offline access
>>> tokens. Let's say I have a client (APP 1) and I've logged in with
>>> OIDC. I
>>> now have a refresh_token and session for APP 1. Using the auth code
>>> flow I
>>> can generate an offline_access token (refresh_token) for a second
>>> client:
>>> APP 2. When I look in *realms/myrealm/account/sessions, *I see one
>>> session but two clients. At first I thought, great! I was able to get
>>> the
>>> auth code flow working and I generated a refresh token for a second
>>> client.
>>>
>>> But then disaster set in, when I logged out of the APP 1 client with the
>>> URL: *protocol/openid-connect/logout.* I was logged out the session
>>> which
>>> included the* second client* and thus the offline access token for APP 2
>>> was effectively revoked.
>>>
>>> I've seen a handful of JIRAs related to offline access tokens and
>>> logouts
>>> but I think they don't quite cover this usecase. I have two questions:
>>>
>>> 1. Is it possible, using the auth code flow, to generate a refresh token
>>> in separate session. That is can APP 1 generate an offline_access token
>>> for
>>> APP 2 in a separate session without re-authenticating?
>>>
>> Once you logged to your APP 2, you have both online session, which is
> part of SSO login (hence you are able to browse APP 2 with your browser)
> and offline session. After login to APP 2, you need to somehow save your
> offline token for later use, which is responsibility of your APP 2.
>
> SSO logout will clear your browser session, but offline token will be
> still valid and can be used for further refreshes. Offline token will also
> survive server restart.
>
> You can take a look at the example in the keycloak-examples distribution
> under "preconfigured-demo/offline-access-app" , which also does logout
> of browser session (or server restart), but offline token is still valid.
>
>>
>>> 2. Can I logout a specific client for a session by passing additional
>>> parameters in the logout URL ?
>>>
>> Nope, Logout is always global SSO logout as it clears the userSession on
> the Keycloak side. Assume that when the "global" userSession is not
> cleared, then the single logged-out client will be still always able to
> login anytime due to SSO session, hence logout would be a bit pointless
> though?
>
> Marek
>
>>
>>> Thanks,
>>> --Ben
>>>
>>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>