Re: [keycloak-user] OAuth2 token introspection requires an active session?

Hi all, We're trying to use offline access [1] to retrieve access_tokens on behalf of the user and access a protected resource in a long running process. This protected resource checks the validity of the access_token using the OAuth2 token introspection. In our tests we found that the introspection flag "active" true|false depends on having an active session in the server. Which seems to defeat the purpose of the offline access capabilities. I have tested with versions 2.5.5.Final and 3.0.0.Final and the behavior is the same. * Get an offline token via direct grants * Get an access_token using the offline_token * We have an active session * Use the token introspection for the access_token and get the expected result: active=true * Wait for SSO Idle timeout (so the session expires) * Get a new access_token using the "stored" offline_token * Use the token introspection with the new access_token. Keycloak returns active=false because we don't have a session. But the access_token is valid, and not expired. The following code repository has an isolated test case of this scenario: https://github.com/iperdomo/keycloak-oauth2-instrospection The described steps are in this script: https://github.com/iperdomo/keycloak-oauth2-instrospection/blob/master/te... I tried to look for logged issues regarding token introspection and didn't found anything related to this problem. Is this a bug or an expected behavior? [1] https://keycloak.gitbooks.io/documentation/server_admin/topics/sessions/o... Thanks for your support.