----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-user(a)lists.jboss.org
Sent: Wednesday, 19 November, 2014 4:01:36 PM
Subject: Re: [keycloak-user] Recommendations for protecting REST service with bearer
token and basic auth
On 11/19/2014 8:30 AM, Juraci Paixão Kröhling wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 11/19/2014 01:01 PM, Stian Thorgersen wrote:
>> One exception though is that in this case you probably want an
>> offline token, which is something we don't support yet. Basically
>> an offline token would be a token that's not associated with a
>> specific user session, which would have a longer (possibly
>> unlimited) lifetime. The user would also need to be able to view
>> and revoke these tokens through the account management.
>
> That's exactly what I mean :-) Is there a plan for this feature
> already? If not, and if it's a desirable feature to have, I might be
> able to scratch a possible solution for it.
>
You guys are basically describing certificate auth.
Yes for the one use-case I described (where the app is the user). There's also the
case where a user gives an application permanent (offline) access to their account. In
Google they have a special scope you can request for this
(
https://developers.google.com/accounts/docs/OAuth2WebServer#offline).
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user