11:09 a.m.
Hi All,
I need to implement offline tokens (
https://keycloak.gitbooks.io/documentation/content/server_admin/topics/se...)
for a number of our REST services.
I followed the instructions provided and it seems to work well. I do have a
couple of questions to confirm my approach please.
1. The generated offline refresh token is used to return a valid token
using the grant_type of refresh_token. Does this mean that the
refresh_token call must be made each time (assuming previous token has
timed out)?
2. Is it best practice to hand out the same token for each client that
needs to authenticate against the service or create a new client for each
client service?
Any help is appreciated,
Regards,
mike
--
Michael J. Hills
Sr. CRM Architect
Mobile: 603.475.5093
Email : mike.hills(a)sematree.com
Skype : mhills_sematree
10:14 a.m.
On 01/06/17 18:09, Mike Hills wrote:
Hi All,
I need to implement offline tokens (
https://keycloak.gitbooks.io/documentation/content/server_admin/topics/se...)
for a number of our REST services.
I followed the instructions provided and it seems to work well. I do have a
couple of questions to confirm my approach please.
1. The generated offline refresh token is used to return a valid token
using the grant_type of refresh_token. Does this mean that the
refresh_token call must be made each time (assuming previous token has
timed out)?
Yes. Access token timeout is supposed to be short (1-5 mins or so),
so
once it is expired, you may need to use offline token for refresh
request and retrieve new access token.
2. Is it best practice to hand out the same token for each client
that
needs to authenticate against the service or create a new client for each
client service?
There are 2 main types of applications:
1. Frontend clients: Those are applications, which are authenticated
against Keycloak and they are retrieve any tokens dedicated to them
2. REST clients: Those are usually bearer-only clients, which doesn't
authenticate directly against Keycloak. They just wait once some other
service of type of type 1 send them the access token.
The best is that you have dedicated client (and tokens) for every client
of type 1. Then you use the token to call the backend REST services of
type 2 from this client. If client wants to access 5 different REST
services, you still use same token to authenticate against them. You may
just need scope roles to be available in the token, so that REST service
can access them.
For more details, see our documentation and examples.
Marek
Any help is appreciated,
Regards,
mike
3247
days inactive
3248
days old
1 comments
2 participants
participants (2)
-
Marek Posolda -
Mike Hills