9:41 a.m.
You can obtain tokens from a non-browser client. We have two types:
session-based tokens: These are associated with an in-memory(cluster
aware) session and have a short expiration (minutes), but can be
refreshed with a refresh token. These sessions can be closed
automatically if they are idle too long
offline tokens: They are persisted and have much longer expiration
times. They do have timeouts, but these times are generally much longer.
On 10/30/2015 10:36 AM, Pål Orby wrote:
Saw your session at JavaZone, so thought we could give KC a try :-)
Our web application is split on two; frontend (HTML5/Javascript) and our
backend (REST lv. 3 developed in Java, currently running inside Tomcat).
Our frontend is just a consumer of our backend API (just like any other
client), and I've successfully configured KC to use
openid-connect/public for our frontend with keycloak.js, and
openid-connect/bearer-only for our backend (API) in our test environment
(sending the Authorization header with Bearer and keycloak.token to
backend when doing ajax requests). This work like expected. Even written
our own federation doing password validation from our user database.
But, a lot of our customers have integrated their application to our
backend API, doing REST calls for issuing invoices, etc...)
Most other services that provides you with an API offers tokens that can
be used for identification and authentication. And as far as I can see,
this is offline tokens in KC.
So we want to have our users log in to our service with their browser,
go to our "API key page" and create a new token to be used by the
integrations (moving away from Basic auth).
I've created an offline token by hitting a keycloak protected html file
and requested a resource with parameter ?scope=offline_access. I do see
KC gives me a value back:
http://localhost/keycloak.html?scope=offline_access&code=HU5UkZ_EbNUj...
But there is no way I can use this for anything (and in KC it seems to
be bound to our frontend application).
Why can't I use the admin rest api to say something like: give me an
offline token for this user for this app?
/Pål
2015-10-30 15:06 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com
<mailto:sthorger@redhat.com>>:
Heisann,
Nice to see fellow Norwegians are using Keycloak :)
For offline tokens the idea is that you'd have a frontend app
(server or client, whichever floats your boat) that can bootstrap
the offline token.
Not sure offline tokens is quite what you need though - can you
elaborate a bit on your use case?
On 30 October 2015 at 13:51, Pål Orby <orby(a)sendregning.no
<mailto:orby@sendregning.no>> wrote:
We have two clients registered in our realm; frontend and
backend. Frontend is defined openid-connect/public
(HTML/Javascript app) and backend is openid-connect/bearer-only.
How can we generate an offline token for a given user that can
be used towards our backend (which is bearer only)?
We have a lot of customers that is integrated to our API (which
is our backend client).
*Pål Orby*
UNIT4 Agresso AS*
*DevOps
Tlf: 22 58 85 00
Mobil: 900 91 705
SendRegning - Gjør det enkelt!
http://www.sendregning.no
http://facebook.com/sendregning
http://twitter.com/sendregning
http://faktura.no
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com