Do you have a chance to try the example I pointed and see if it works as
expected?
Marek
On 29/03/17 21:13, Benjamin Zaitlen wrote:
Hi Marek,
Thanks for the response. I am saving the token for APP2. The behavior
I'm observing is that after the SSO Logout, the offline token access
is revoked, and the previously saved token is no longer value.
Perhaps I'm doing something incorrectly. This is also on 2.5.X
--Ben
On Wed, Mar 29, 2017 at 1:28 PM, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
On 29/03/17 13:43, Benjamin Zaitlen wrote:
Any thoughts on this?
--Ben
On Fri, Mar 24, 2017 at 5:20 PM, Benjamin Zaitlen
<quasiben(a)gmail.com <mailto:quasiben@gmail.com>>
wrote:
Hi All,
I'm having some trouble with sessions, clients, and
offline access
tokens. Let's say I have a client (APP 1) and I've logged
in with OIDC. I
now have a refresh_token and session for APP 1. Using the
auth code flow I
can generate an offline_access token (refresh_token) for a
second client:
APP 2. When I look in *realms/myrealm/account/sessions,
*I see one
session but two clients. At first I thought, great! I was
able to get the
auth code flow working and I generated a refresh token for
a second client.
But then disaster set in, when I logged out of the APP 1
client with the
URL: *protocol/openid-connect/logout.* I was logged out
the session which
included the* second client* and thus the offline access
token for APP 2
was effectively revoked.
I've seen a handful of JIRAs related to offline access
tokens and logouts
but I think they don't quite cover this usecase. I have
two questions:
1. Is it possible, using the auth code flow, to generate a
refresh token
in separate session. That is can APP 1 generate an
offline_access token for
APP 2 in a separate session without re-authenticating?
Once you logged to your APP 2, you have both online session, which
is part of SSO login (hence you are able to browse APP 2 with your
browser) and offline session. After login to APP 2, you need to
somehow save your offline token for later use, which is
responsibility of your APP 2.
SSO logout will clear your browser session, but offline token will
be still valid and can be used for further refreshes. Offline
token will also survive server restart.
You can take a look at the example in the keycloak-examples
distribution under "preconfigured-demo/offline-access-app" , which
also does logout of browser session (or server restart), but
offline token is still valid.
2. Can I logout a specific client for a session by passing
additional
parameters in the logout URL ?
Nope, Logout is always global SSO logout as it clears the
userSession on the Keycloak side. Assume that when the "global"
userSession is not cleared, then the single logged-out client will
be still always able to login anytime due to SSO session, hence
logout would be a bit pointless though?
Marek
Thanks,
--Ben
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
<
https://lists.jboss.org/mailman/listinfo/keycloak-user>