2:47 p.m.
Hello all
I'm trying to validate downloaded earlier token (downloaded via oauth
application with direct access) and I found RSATokenVerifier. It's working
but this is only json validation and it is not checking same token from
user session which exist in memmory.
It is possible to use same token and check it with existing in user session
(without clustering) ? I want to use the same token several times (for
example same token for 5 minutes). Token is sent from client webservice to
other webservice and last ws have to check token wchich is sent from first
webservice (must make sure that token is correct - the same).
I have doubt becouse I saw that always when I try to authenticate with
direct access token is new but not over 5 minutes.
*regards*
*--*
*Emil Posmyk*
1:38 p.m.
Hi,
when you send directAccess grant request it returns you accessToken and
refreshToken. Access token is valid for short period of time (like 5
minutes as you mentioned) and you can then refresh it with refreshToken
for new tokens.
When you're sending request from "client webservice" to "other
webservice", you can attach token into the request in HTTP header like
"Authorization: Bearer you-access-token-is-here" . Then "other
webservice" can be protected directly by our adapter and specified as
"bearer only" client, or you can use RSATokenVerifier if you want to
validate token manually in your application (in case you use adapters,
it will do it for you).
See our demo example application for more details.
Marek
On 27.2.2015 21:47, Emil Posmyk wrote:
Hello all
I'm trying to validate downloaded earlier token (downloaded via oauth
application with direct access) and I found RSATokenVerifier. It's
working but this is only json validation and it is not checking same
token from user session which exist in memmory.
It is possible to use same token and check it with existing in user
session (without clustering) ? I want to use the same token several
times (for example same token for 5 minutes). Token is sent from
client webservice to other webservice and last ws have to check token
wchich is sent from first webservice (must make sure that token is
correct - the same).
I have doubt becouse I saw that always when I try to authenticate with
direct access token is new but not over 5 minutes.
/
regards/
/--/
/Emil Posmyk
/
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
4:09 p.m.
New subject: [EXTERNAL] Re: Token validation in keycloak in oauth with direct access.
I had another question about the refresh token, when I forward it, it did not contain all
the claims the access token has.
For example, my application is configured to provide all the claims and it will user
perfered_username. If I use refresh token, the username is not preferred username, it is
the GUID. But when I forward the same access token, then it is ok. When I decode the
refresh toke, all the claims fields are null.
Thanks
Kevin
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Marek Posolda
Sent: Monday, March 02, 2015 1:39 PM
To: Emil Posmyk; keycloak-user(a)lists.jboss.org
Subject: [EXTERNAL] Re: [keycloak-user] Token validation in keycloak in oauth with direct
access.
Hi,
when you send directAccess grant request it returns you accessToken and refreshToken.
Access token is valid for short period of time (like 5 minutes as you mentioned) and you
can then refresh it with refreshToken for new tokens.
When you're sending request from "client webservice" to "other
webservice", you can attach token into the request in HTTP header like
"Authorization: Bearer you-access-token-is-here" . Then "other
webservice" can be protected directly by our adapter and specified as "bearer
only" client, or you can use RSATokenVerifier if you want to validate token manually
in your application (in case you use adapters, it will do it for you).
See our demo example application for more details.
Marek
On 27.2.2015 21:47, Emil Posmyk wrote:
Hello all
I'm trying to validate downloaded earlier token (downloaded via oauth application with
direct access) and I found RSATokenVerifier. It's working but this is only json
validation and it is not checking same token from user session which exist in memmory.
It is possible to use same token and check it with existing in user session (without
clustering) ? I want to use the same token several times (for example same token for 5
minutes). Token is sent from client webservice to other webservice and last ws have to
check token wchich is sent from first webservice (must make sure that token is correct -
the same).
I have doubt becouse I saw that always when I try to authenticate with direct access token
is new but not over 5 minutes.
regards
--
Emil Posmyk
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
----------------------------------------------------------------------
This e-mail, including any attached files, may contain confidential and privileged
information for the sole use of the intended recipient. Any review, use, distribution, or
disclosure by others is strictly prohibited. If you are not the intended recipient (or
authorized to receive information for the intended recipient), please contact the sender
by reply e-mail and delete all copies of this message.
9:42 p.m.
New subject: [EXTERNAL] Re: Token validation in keycloak in oauth with direct access.
----- Original Message -----
From: "Kevin Chen" <Peng.Chen(a)halliburton.com>
To: "Marek Posolda" <mposolda(a)redhat.com>, "Emil Posmyk"
<emil.posmyk(a)gmail.com>, keycloak-user(a)lists.jboss.org
Sent: Monday, 2 March, 2015 11:09:46 PM
Subject: Re: [keycloak-user] [EXTERNAL] Re: Token validation in keycloak in oauth with
direct access.
I had another question about the refresh token, when I forward it, it did not
contain all the claims the access token has.
The refresh token should only be used to refresh the access token and so there's no
need to have those claims there
For example, my application is configured to provide all the claims and it
will user perfered_username. If I use refresh token, the username is not
preferred username, it is the GUID. But when I forward the same access
token, then it is ok. When I decode the refresh toke, all the claims fields
are null.
Thanks
Kevin
From: keycloak-user-bounces(a)lists.jboss.org
[mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Marek Posolda
Sent: Monday, March 02, 2015 1:39 PM
To: Emil Posmyk; keycloak-user(a)lists.jboss.org
Subject: [EXTERNAL] Re: [keycloak-user] Token validation in keycloak in oauth
with direct access.
Hi,
when you send directAccess grant request it returns you accessToken and
refreshToken. Access token is valid for short period of time (like 5 minutes
as you mentioned) and you can then refresh it with refreshToken for new
tokens.
When you're sending request from "client webservice" to "other
webservice",
you can attach token into the request in HTTP header like "Authorization:
Bearer you-access-token-is-here" . Then "other webservice" can be
protected
directly by our adapter and specified as "bearer only" client, or you can
use RSATokenVerifier if you want to validate token manually in your
application (in case you use adapters, it will do it for you).
See our demo example application for more details.
Marek
On 27.2.2015 21:47, Emil Posmyk wrote:
Hello all
I'm trying to validate downloaded earlier token (downloaded via oauth
application with direct access) and I found RSATokenVerifier. It's working
but this is only json validation and it is not checking same token from user
session which exist in memmory.
It is possible to use same token and check it with existing in user session
(without clustering) ? I want to use the same token several times (for
example same token for 5 minutes). Token is sent from client webservice to
other webservice and last ws have to check token wchich is sent from first
webservice (must make sure that token is correct - the same).
I have doubt becouse I saw that always when I try to authenticate with direct
access token is new but not over 5 minutes.
regards
--
Emil Posmyk
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
This e-mail, including any attached files, may contain confidential and
privileged information for the sole use of the intended recipient. Any
review, use, distribution, or disclosure by others is strictly prohibited.
If you are not the intended recipient (or authorized to receive information
for the intended recipient), please contact the sender by reply e-mail and
delete all copies of this message.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3604
days inactive
3608
days old
3 comments
4 participants
participants (4)
-
Emil Posmyk -
Kevin Chen -
Marek Posolda -
Stian Thorgersen