8:51 a.m.
We have two clients registered in our realm; frontend and backend. Frontend
is defined openid-connect/public (HTML/Javascript app) and backend is
openid-connect/bearer-only.
How can we generate an offline token for a given user that can be used
towards our backend (which is bearer only)?
We have a lot of customers that is integrated to our API (which is our
backend client).
*Pål Orby*
UNIT4 Agresso AS
DevOps
Tlf: 22 58 85 00
Mobil: 900 91 705
SendRegning - Gjør det enkelt!
http://www.sendregning.no
http://facebook.com/sendregning
http://twitter.com/sendregning
http://faktura.no
9:06 a.m.
Heisann,
Nice to see fellow Norwegians are using Keycloak :)
For offline tokens the idea is that you'd have a frontend app (server or
client, whichever floats your boat) that can bootstrap the offline token.
Not sure offline tokens is quite what you need though - can you elaborate a
bit on your use case?
On 30 October 2015 at 13:51, Pål Orby <orby(a)sendregning.no> wrote:
We have two clients registered in our realm; frontend and backend.
Frontend is defined openid-connect/public (HTML/Javascript app) and backend
is openid-connect/bearer-only.
How can we generate an offline token for a given user that can be used
towards our backend (which is bearer only)?
We have a lot of customers that is integrated to our API (which is our
backend client).
*Pål Orby*
UNIT4 Agresso AS
DevOps
Tlf: 22 58 85 00
Mobil: 900 91 705
SendRegning - Gjør det enkelt!
http://www.sendregning.no
http://facebook.com/sendregning
http://twitter.com/sendregning
http://faktura.no
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:36 a.m.
Saw your session at JavaZone, so thought we could give KC a try :-)
Our web application is split on two; frontend (HTML5/Javascript) and our
backend (REST lv. 3 developed in Java, currently running inside Tomcat).
Our frontend is just a consumer of our backend API (just like any other
client), and I've successfully configured KC to use openid-connect/public
for our frontend with keycloak.js, and openid-connect/bearer-only for our
backend (API) in our test environment (sending the Authorization header
with Bearer and keycloak.token to backend when doing ajax requests). This
work like expected. Even written our own federation doing password
validation from our user database.
But, a lot of our customers have integrated their application to our
backend API, doing REST calls for issuing invoices, etc...)
Most other services that provides you with an API offers tokens that can be
used for identification and authentication. And as far as I can see, this
is offline tokens in KC.
So we want to have our users log in to our service with their browser, go
to our "API key page" and create a new token to be used by the integrations
(moving away from Basic auth).
I've created an offline token by hitting a keycloak protected html file and
requested a resource with parameter ?scope=offline_access. I do see KC
gives me a value back:
http://localhost/keycloak.html?scope=offline_access&code=HU5UkZ_EbNUj...
But there is no way I can use this for anything (and in KC it seems to be
bound to our frontend application).
Why can't I use the admin rest api to say something like: give me an
offline token for this user for this app?
/Pål
2015-10-30 15:06 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com>:
Heisann,
Nice to see fellow Norwegians are using Keycloak :)
For offline tokens the idea is that you'd have a frontend app (server or
client, whichever floats your boat) that can bootstrap the offline token.
Not sure offline tokens is quite what you need though - can you elaborate
a bit on your use case?
On 30 October 2015 at 13:51, Pål Orby <orby(a)sendregning.no> wrote:
> We have two clients registered in our realm; frontend and backend.
> Frontend is defined openid-connect/public (HTML/Javascript app) and backend
> is openid-connect/bearer-only.
>
> How can we generate an offline token for a given user that can be used
> towards our backend (which is bearer only)?
>
> We have a lot of customers that is integrated to our API (which is our
> backend client).
>
> *Pål Orby*
> UNIT4 Agresso AS
> DevOps
> Tlf: 22 58 85 00
> Mobil: 900 91 705
>
> SendRegning - Gjør det enkelt!
> http://www.sendregning.no
> http://facebook.com/sendregning
> http://twitter.com/sendregning
> http://faktura.no
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
9:41 a.m.
You can obtain tokens from a non-browser client. We have two types:
session-based tokens: These are associated with an in-memory(cluster
aware) session and have a short expiration (minutes), but can be
refreshed with a refresh token. These sessions can be closed
automatically if they are idle too long
offline tokens: They are persisted and have much longer expiration
times. They do have timeouts, but these times are generally much longer.
On 10/30/2015 10:36 AM, Pål Orby wrote:
Saw your session at JavaZone, so thought we could give KC a try :-)
Our web application is split on two; frontend (HTML5/Javascript) and our
backend (REST lv. 3 developed in Java, currently running inside Tomcat).
Our frontend is just a consumer of our backend API (just like any other
client), and I've successfully configured KC to use
openid-connect/public for our frontend with keycloak.js, and
openid-connect/bearer-only for our backend (API) in our test environment
(sending the Authorization header with Bearer and keycloak.token to
backend when doing ajax requests). This work like expected. Even written
our own federation doing password validation from our user database.
But, a lot of our customers have integrated their application to our
backend API, doing REST calls for issuing invoices, etc...)
Most other services that provides you with an API offers tokens that can
be used for identification and authentication. And as far as I can see,
this is offline tokens in KC.
So we want to have our users log in to our service with their browser,
go to our "API key page" and create a new token to be used by the
integrations (moving away from Basic auth).
I've created an offline token by hitting a keycloak protected html file
and requested a resource with parameter ?scope=offline_access. I do see
KC gives me a value back:
http://localhost/keycloak.html?scope=offline_access&code=HU5UkZ_EbNUj...
But there is no way I can use this for anything (and in KC it seems to
be bound to our frontend application).
Why can't I use the admin rest api to say something like: give me an
offline token for this user for this app?
/Pål
2015-10-30 15:06 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com
<mailto:sthorger@redhat.com>>:
Heisann,
Nice to see fellow Norwegians are using Keycloak :)
For offline tokens the idea is that you'd have a frontend app
(server or client, whichever floats your boat) that can bootstrap
the offline token.
Not sure offline tokens is quite what you need though - can you
elaborate a bit on your use case?
On 30 October 2015 at 13:51, Pål Orby <orby(a)sendregning.no
<mailto:orby@sendregning.no>> wrote:
We have two clients registered in our realm; frontend and
backend. Frontend is defined openid-connect/public
(HTML/Javascript app) and backend is openid-connect/bearer-only.
How can we generate an offline token for a given user that can
be used towards our backend (which is bearer only)?
We have a lot of customers that is integrated to our API (which
is our backend client).
*Pål Orby*
UNIT4 Agresso AS*
*DevOps
Tlf: 22 58 85 00
Mobil: 900 91 705
SendRegning - Gjør det enkelt!
http://www.sendregning.no
http://facebook.com/sendregning
http://twitter.com/sendregning
http://faktura.no
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
5:06 a.m.
I would create a client for each customer. Enable the service account
feature to map roles to the client. Then customers can authenticate either
with a secret or signed jwt (public/private key). They can then use the
client credentials grant to obtain tokens.
On 30 Oct 2015 15:37, "Pål Orby" <orby(a)sendregning.no> wrote:
Saw your session at JavaZone, so thought we could give KC a try :-)
Our web application is split on two; frontend (HTML5/Javascript) and our
backend (REST lv. 3 developed in Java, currently running inside Tomcat).
Our frontend is just a consumer of our backend API (just like any other
client), and I've successfully configured KC to use openid-connect/public
for our frontend with keycloak.js, and openid-connect/bearer-only for our
backend (API) in our test environment (sending the Authorization header
with Bearer and keycloak.token to backend when doing ajax requests). This
work like expected. Even written our own federation doing password
validation from our user database.
But, a lot of our customers have integrated their application to our
backend API, doing REST calls for issuing invoices, etc...)
Most other services that provides you with an API offers tokens that can
be used for identification and authentication. And as far as I can see,
this is offline tokens in KC.
So we want to have our users log in to our service with their browser, go
to our "API key page" and create a new token to be used by the integrations
(moving away from Basic auth).
I've created an offline token by hitting a keycloak protected html file
and requested a resource with parameter ?scope=offline_access. I do see KC
gives me a value back:
http://localhost/keycloak.html?scope=offline_access&code=HU5UkZ_EbNUj...
But there is no way I can use this for anything (and in KC it seems to be
bound to our frontend application).
Why can't I use the admin rest api to say something like: give me an
offline token for this user for this app?
/Pål
2015-10-30 15:06 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com>:
> Heisann,
>
> Nice to see fellow Norwegians are using Keycloak :)
>
> For offline tokens the idea is that you'd have a frontend app (server or
> client, whichever floats your boat) that can bootstrap the offline token.
>
> Not sure offline tokens is quite what you need though - can you elaborate
> a bit on your use case?
>
> On 30 October 2015 at 13:51, Pål Orby <orby(a)sendregning.no> wrote:
>
>> We have two clients registered in our realm; frontend and backend.
>> Frontend is defined openid-connect/public (HTML/Javascript app) and backend
>> is openid-connect/bearer-only.
>>
>> How can we generate an offline token for a given user that can be used
>> towards our backend (which is bearer only)?
>>
>> We have a lot of customers that is integrated to our API (which is our
>> backend client).
>>
>> *Pål Orby*
>> UNIT4 Agresso AS
>> DevOps
>> Tlf: 22 58 85 00
>> Mobil: 900 91 705
>>
>> SendRegning - Gjør det enkelt!
>> http://www.sendregning.no
>> http://facebook.com/sendregning
>> http://twitter.com/sendregning
>> http://faktura.no
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
3:40 p.m.
It's not an option to create a client for each customer. Currently we have
65 000 customers, and we do not care if they use our API or using us within
their browser.
We want to just generate an offline token for a given user? Can someone
please tell me how to do it. I've read the documentation, but it not clear
for me how to obtain an offline token (
http://keycloak.github.io/docs/userguide/keycloak-server/html/timeouts.ht...
).
Thanks in advance :-)
/Pål
*Pål Orby*
UNIT4 Agresso AS
Programvareingeniør
Tlf: 22 58 85 00
Mobil: 900 91 705
SendRegning - Gjør det enkelt!
http://www.sendregning.no
http://facebook.com/sendregning
http://twitter.com/sendregning
http://faktura.no
2015-11-02 12:06 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com>:
I would create a client for each customer. Enable the service
account
feature to map roles to the client. Then customers can authenticate either
with a secret or signed jwt (public/private key). They can then use the
client credentials grant to obtain tokens.
On 30 Oct 2015 15:37, "Pål Orby" <orby(a)sendregning.no> wrote:
> Saw your session at JavaZone, so thought we could give KC a try :-)
>
> Our web application is split on two; frontend (HTML5/Javascript) and our
> backend (REST lv. 3 developed in Java, currently running inside Tomcat).
>
> Our frontend is just a consumer of our backend API (just like any other
> client), and I've successfully configured KC to use openid-connect/public
> for our frontend with keycloak.js, and openid-connect/bearer-only for our
> backend (API) in our test environment (sending the Authorization header
> with Bearer and keycloak.token to backend when doing ajax requests). This
> work like expected. Even written our own federation doing password
> validation from our user database.
>
> But, a lot of our customers have integrated their application to our
> backend API, doing REST calls for issuing invoices, etc...)
>
> Most other services that provides you with an API offers tokens that can
> be used for identification and authentication. And as far as I can see,
> this is offline tokens in KC.
>
> So we want to have our users log in to our service with their browser, go
> to our "API key page" and create a new token to be used by the
integrations
> (moving away from Basic auth).
>
> I've created an offline token by hitting a keycloak protected html file
> and requested a resource with parameter ?scope=offline_access. I do see KC
> gives me a value back:
>
>
http://localhost/keycloak.html?scope=offline_access&code=HU5UkZ_EbNUj...
>
> But there is no way I can use this for anything (and in KC it seems to be
> bound to our frontend application).
>
> Why can't I use the admin rest api to say something like: give me an
> offline token for this user for this app?
>
> /Pål
>
> 2015-10-30 15:06 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com>:
>
>> Heisann,
>>
>> Nice to see fellow Norwegians are using Keycloak :)
>>
>> For offline tokens the idea is that you'd have a frontend app (server or
>> client, whichever floats your boat) that can bootstrap the offline token.
>>
>> Not sure offline tokens is quite what you need though - can you
>> elaborate a bit on your use case?
>>
>> On 30 October 2015 at 13:51, Pål Orby <orby(a)sendregning.no> wrote:
>>
>>> We have two clients registered in our realm; frontend and backend.
>>> Frontend is defined openid-connect/public (HTML/Javascript app) and backend
>>> is openid-connect/bearer-only.
>>>
>>> How can we generate an offline token for a given user that can be used
>>> towards our backend (which is bearer only)?
>>>
>>> We have a lot of customers that is integrated to our API (which is our
>>> backend client).
>>>
>>> *Pål Orby*
>>> UNIT4 Agresso AS
>>> DevOps
>>> Tlf: 22 58 85 00
>>> Mobil: 900 91 705
>>>
>>> SendRegning - Gjør det enkelt!
>>> http://www.sendregning.no
>>> http://facebook.com/sendregning
>>> http://twitter.com/sendregning
>>> http://faktura.no
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
2:06 a.m.
On 02/11/15 22:40, Pål Orby wrote:
It's not an option to create a client for each customer.
Currently we
have 65 000 customers, and we do not care if they use our API or using
us within their browser.
We want to just generate an offline token for a given user? Can
someone please tell me how to do it. I've read the documentation, but
it not clear for me how to obtain an offline token
(http://keycloak.github.io/docs/userguide/keycloak-server/html/timeouts.ht...).
Not sure I understand all the details for your usecase. But the usecase
like "give me an offline token for this user for this app" can be done
with usage of direct grant. See here the docs for direct grant
http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-acce...
. If you want to retrieve offline token through direct grant, you just
need to add the parameter "scope=offline_access" to the body of POST
methods. So instead of just:
username=bburke&password=geheim&grant_type=password
you will use:
username=bburke&password=geheim&grant_type=password&scope=offline_access
But note, that offline token is not a permanent token, which can be
unlimitedly used for authentication against REST backend services.
Offline token is just special kind of refresh token, which never
expires. You can use offline token to "refresh" and retrieve the access
token, which can itself be used for authentication against REST backend
services. But the access token has limited lifetime (usually 1 minute).
So typically once you retrieve offline token, you need to save it in the
database and always when you need to send request to REST backend, you
use offline token to retrieve access token and then use this access
token to send REST request. I suggest to take a look at
offline_access_app example in the demo.
Marek
Thanks in advance :-)
/Pål
*Pål Orby*
UNIT4 Agresso AS*
*Programvareingeniør
Tlf: 22 58 85 00
Mobil: 900 91 705
SendRegning - Gjør det enkelt!
http://www.sendregning.no
http://facebook.com/sendregning
http://twitter.com/sendregning
http://faktura.no
2015-11-02 12:06 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com
<mailto:sthorger@redhat.com>>:
I would create a client for each customer. Enable the service
account feature to map roles to the client. Then customers can
authenticate either with a secret or signed jwt (public/private
key). They can then use the client credentials grant to obtain tokens.
On 30 Oct 2015 15:37, "Pål Orby" <orby(a)sendregning.no
<mailto:orby@sendregning.no>> wrote:
Saw your session at JavaZone, so thought we could give KC a
try :-)
Our web application is split on two; frontend
(HTML5/Javascript) and our backend (REST lv. 3 developed in
Java, currently running inside Tomcat).
Our frontend is just a consumer of our backend API (just like
any other client), and I've successfully configured KC to use
openid-connect/public for our frontend with keycloak.js, and
openid-connect/bearer-only for our backend (API) in our test
environment (sending the Authorization header with Bearer
and keycloak.token to backend when doing ajax requests). This
work like expected. Even written our own federation doing
password validation from our user database.
But, a lot of our customers have integrated their application
to our backend API, doing REST calls for issuing invoices, etc...)
Most other services that provides you with an API offers
tokens that can be used for identification and authentication.
And as far as I can see, this is offline tokens in KC.
So we want to have our users log in to our service with their
browser, go to our "API key page" and create a new token to be
used by the integrations (moving away from Basic auth).
I've created an offline token by hitting a keycloak protected
html file and requested a resource with parameter
?scope=offline_access. I do see KC gives me a value back:
http://localhost/keycloak.html?scope=offline_access&code=HU5UkZ_EbNUj...
But there is no way I can use this for anything (and in KC it
seems to be bound to our frontend application).
Why can't I use the admin rest api to say something like: give
me an offline token for this user for this app?
/Pål
2015-10-30 15:06 GMT+01:00 Stian Thorgersen
<sthorger(a)redhat.com <mailto:sthorger@redhat.com>>:
Heisann,
Nice to see fellow Norwegians are using Keycloak :)
For offline tokens the idea is that you'd have a frontend
app (server or client, whichever floats your boat) that
can bootstrap the offline token.
Not sure offline tokens is quite what you need though -
can you elaborate a bit on your use case?
On 30 October 2015 at 13:51, Pål Orby <orby(a)sendregning.no
<mailto:orby@sendregning.no>> wrote:
We have two clients registered in our realm; frontend
and backend. Frontend is defined openid-connect/public
(HTML/Javascript app) and backend is
openid-connect/bearer-only.
How can we generate an offline token for a given user
that can be used towards our backend (which is bearer
only)?
We have a lot of customers that is integrated to our
API (which is our backend client).
*Pål Orby*
UNIT4 Agresso AS*
*DevOps
Tlf: 22 58 85 00
Mobil: 900 91 705
SendRegning - Gjør det enkelt!
http://www.sendregning.no
http://facebook.com/sendregning
http://twitter.com/sendregning
http://faktura.no
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:23 a.m.
To create a token you need to have a client and a user (or service account
in which case you only need the client). Once you have that you can use the
browser based flow or obtain through REST (resource owner credential grant
for users, client credential grant for service accounts). You should not
share client and user between customers as that will stop you from being
able to revoke the offline tokens. Another issue is that tokens are fairly
big (it's not just a short key, it's a json document).
I would suggest you either:
* Create service account for customers - they can then use this to obtain a
token (offline or standard refresh) using REST endpoints on Keycloak
* Give offline token to users - in this case I would create a service
account for the customer and then create the offline token (all can be done
with Keycloak REST endpoints)
Take a look at
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/a...
it shows how to obtain tokens without browser. To retrieve an offline token
just add scope=offline query parameter.
One thing you could do if you want to give customers the token is to create
a db that stores the token then send the customers a reference to the token
instead. You'd then need a proxy in front of your apps that can exchange
the reference for the full token. If you're interested in this approach I
can get you in touch with someone that is doing that.
On 2 November 2015 at 21:40, Pål Orby <orby(a)sendregning.no> wrote:
It's not an option to create a client for each customer.
Currently we have
65 000 customers, and we do not care if they use our API or using us within
their browser.
We want to just generate an offline token for a given user? Can
someone
please tell me how to do it. I've read the documentation, but it not clear
for me how to obtain an offline token (
http://keycloak.github.io/docs/userguide/keycloak-server/html/timeouts.ht...
).
Thanks in advance :-)
/Pål
*Pål Orby*
UNIT4 Agresso AS
Programvareingeniør
Tlf: 22 58 85 00
Mobil: 900 91 705
SendRegning - Gjør det enkelt!
http://www.sendregning.no
http://facebook.com/sendregning
http://twitter.com/sendregning
http://faktura.no
2015-11-02 12:06 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com>:
> I would create a client for each customer. Enable the service account
> feature to map roles to the client. Then customers can authenticate either
> with a secret or signed jwt (public/private key). They can then use the
> client credentials grant to obtain tokens.
> On 30 Oct 2015 15:37, "Pål Orby" <orby(a)sendregning.no> wrote:
>
>> Saw your session at JavaZone, so thought we could give KC a try :-)
>>
>> Our web application is split on two; frontend (HTML5/Javascript) and our
>> backend (REST lv. 3 developed in Java, currently running inside Tomcat).
>>
>> Our frontend is just a consumer of our backend API (just like any other
>> client), and I've successfully configured KC to use openid-connect/public
>> for our frontend with keycloak.js, and openid-connect/bearer-only for our
>> backend (API) in our test environment (sending the Authorization header
>> with Bearer and keycloak.token to backend when doing ajax requests). This
>> work like expected. Even written our own federation doing password
>> validation from our user database.
>>
>> But, a lot of our customers have integrated their application to our
>> backend API, doing REST calls for issuing invoices, etc...)
>>
>> Most other services that provides you with an API offers tokens that can
>> be used for identification and authentication. And as far as I can see,
>> this is offline tokens in KC.
>>
>> So we want to have our users log in to our service with their browser,
>> go to our "API key page" and create a new token to be used by the
>> integrations (moving away from Basic auth).
>>
>> I've created an offline token by hitting a keycloak protected html file
>> and requested a resource with parameter ?scope=offline_access. I do see KC
>> gives me a value back:
>>
>>
http://localhost/keycloak.html?scope=offline_access&code=HU5UkZ_EbNUj...
>>
>> But there is no way I can use this for anything (and in KC it seems to
>> be bound to our frontend application).
>>
>> Why can't I use the admin rest api to say something like: give me an
>> offline token for this user for this app?
>>
>> /Pål
>>
>> 2015-10-30 15:06 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com>:
>>
>>> Heisann,
>>>
>>> Nice to see fellow Norwegians are using Keycloak :)
>>>
>>> For offline tokens the idea is that you'd have a frontend app (server
>>> or client, whichever floats your boat) that can bootstrap the offline token.
>>>
>>> Not sure offline tokens is quite what you need though - can you
>>> elaborate a bit on your use case?
>>>
>>> On 30 October 2015 at 13:51, Pål Orby <orby(a)sendregning.no> wrote:
>>>
>>>> We have two clients registered in our realm; frontend and backend.
>>>> Frontend is defined openid-connect/public (HTML/Javascript app) and
backend
>>>> is openid-connect/bearer-only.
>>>>
>>>> How can we generate an offline token for a given user that can be used
>>>> towards our backend (which is bearer only)?
>>>>
>>>> We have a lot of customers that is integrated to our API (which is our
>>>> backend client).
>>>>
>>>> *Pål Orby*
>>>> UNIT4 Agresso AS
>>>> DevOps
>>>> Tlf: 22 58 85 00
>>>> Mobil: 900 91 705
>>>>
>>>> SendRegning - Gjør det enkelt!
>>>> http://www.sendregning.no
>>>> http://facebook.com/sendregning
>>>> http://twitter.com/sendregning
>>>> http://faktura.no
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
2:32 a.m.
On Tue, Nov 3, 2015 at 10:23 AM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
* Create service account for customers - they can then use this to
obtain
a token (offline or standard refresh) using REST endpoints on Keycloak
Sorry to step in, but could you please explain the use case or the
reasoning for offline tokens on service accounts? If I have understood it
correctly you'll still need clientId and secret to generate the access
token from the offline token. Why not just use them to login whenever
necessary? Thanks!
Best regards,
Thomas
6:49 a.m.
On 03/11/15 09:32, Thomas Raehalme wrote:
On Tue, Nov 3, 2015 at 10:23 AM, Stian Thorgersen
<sthorger(a)redhat.com
<mailto:sthorger@redhat.com>> wrote:
* Create service account for customers - they can then use this to
obtain a token (offline or standard refresh) using REST endpoints
on Keycloak
Sorry to step in, but could you please explain the use case or the
reasoning for offline tokens on service accounts? If I have understood
it correctly you'll still need clientId and secret to generate the
access token from the offline token. Why not just use them to login
whenever necessary? Thanks!
We support offline tokens for service accounts because
there is no
reason (bad side effect) of not supporting it. Or at least I am not
aware of any. Are you? Adding this support came "for free".
One usecase when it can be useful is, for example if you have offline
token and you don't know how was this offline token authenticated (if it
was direct grant, service account or browser). You can send the refresh
token request with this token regardless of the offline token type as
the refreshToken endpoint is same for all cases.
Marek
Best regards,
Thomas
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:10 p.m.
Ok, so after reading the replies here I understand that it isn't offline
tokens I'm looking for.
The token I'm looking for is what I would call an "application token". Any
plans implementing that?
Example:
If you enable two factor authentication on Github, you can't connect with
username/password anymore in terminal or other 3. party applications
integrated with GitHub without using an "application token" that you create
on your GitHub account page.
/Pål
*Pål Orby*
UNIT4 Agresso AS
Programvareingeniør
Tlf: 22 58 85 00
Mobil: 900 91 705
SendRegning - Gjør det enkelt!
http://www.sendregning.no
http://facebook.com/sendregning
http://twitter.com/sendregning
http://faktura.no
2015-11-03 13:49 GMT+01:00 Marek Posolda <mposolda(a)redhat.com>:
On 03/11/15 09:32, Thomas Raehalme wrote:
On Tue, Nov 3, 2015 at 10:23 AM, Stian Thorgersen < <sthorger(a)redhat.com>
sthorger(a)redhat.com> wrote:
> * Create service account for customers - they can then use this to obtain
> a token (offline or standard refresh) using REST endpoints on Keycloak
>
Sorry to step in, but could you please explain the use case or the
reasoning for offline tokens on service accounts? If I have understood it
correctly you'll still need clientId and secret to generate the access
token from the offline token. Why not just use them to login whenever
necessary? Thanks!
We support offline tokens for service accounts because there is no reason
(bad side effect) of not supporting it. Or at least I am not aware of any.
Are you? Adding this support came "for free".
One usecase when it can be useful is, for example if you have offline
token and you don't know how was this offline token authenticated (if it
was direct grant, service account or browser). You can send the refresh
token request with this token regardless of the offline token type as the
refreshToken endpoint is same for all cases.
Marek
Best regards,
Thomas
_______________________________________________
keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
1:06 p.m.
For 3rd party app, the app would just use OAuth protocol to obtain a
token. That's what OAuth was originally written to do. OpenID Connect
just extended it for authentication.
On 11/3/2015 1:10 PM, Pål Orby wrote:
Ok, so after reading the replies here I understand that it isn't
offline
tokens I'm looking for.
The token I'm looking for is what I would call an "application token".
Any plans implementing that?
Example:
If you enable two factor authentication on Github, you can't connect
with username/password anymore in terminal or other 3. party
applications integrated with GitHub without using an "application token"
that you create on your GitHub account page.
/Pål
*Pål Orby*
UNIT4 Agresso AS*
*Programvareingeniør
Tlf: 22 58 85 00
Mobil: 900 91 705
SendRegning - Gjør det enkelt!
http://www.sendregning.no
http://facebook.com/sendregning
http://twitter.com/sendregning
http://faktura.no
2015-11-03 13:49 GMT+01:00 Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>>:
On 03/11/15 09:32, Thomas Raehalme wrote:
> On Tue, Nov 3, 2015 at 10:23 AM, Stian Thorgersen
> <<mailto:sthorger@redhat.com>sthorger@redhat.com
> <mailto:sthorger@redhat.com>> wrote:
>
> * Create service account for customers - they can then use
> this to obtain a token (offline or standard refresh) using
> REST endpoints on Keycloak
>
>
> Sorry to step in, but could you please explain the use case or the
> reasoning for offline tokens on service accounts? If I have
> understood it correctly you'll still need clientId and secret to
> generate the access token from the offline token. Why not just use
> them to login whenever necessary? Thanks!
We support offline tokens for service accounts because there is no
reason (bad side effect) of not supporting it. Or at least I am not
aware of any. Are you? Adding this support came "for free".
One usecase when it can be useful is, for example if you have
offline token and you don't know how was this offline token
authenticated (if it was direct grant, service account or browser).
You can send the refresh token request with this token regardless of
the offline token type as the refreshToken endpoint is same for all
cases.
Marek
>
> Best regards,
> Thomas
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
5:42 a.m.
On 3 November 2015 at 19:10, Pål Orby <orby(a)sendregning.no> wrote:
Ok, so after reading the replies here I understand that it isn't
offline
tokens I'm looking for.
The token I'm looking for is what I would call an "application token". Any
plans implementing that?
No, we don't have any plans for that. However as I suggested you can
relatively easily provide that yourself by creating a client with service
account for a customer then create an offline token to send to them. Main
issue still stands though is that an offline token is not just a short "API
Key" it's a relatively big base64 string.
If you want a short "API Key" you'd need a proxy in front of your services
that can swap the key for the actual token.
Example:
If you enable two factor authentication on Github, you can't connect with
username/password anymore in terminal or other 3. party applications
integrated with GitHub without using an "application token" that you create
on your GitHub account page.
/Pål
*Pål Orby*
UNIT4 Agresso AS
Programvareingeniør
Tlf: 22 58 85 00
Mobil: 900 91 705
SendRegning - Gjør det enkelt!
http://www.sendregning.no
http://facebook.com/sendregning
http://twitter.com/sendregning
http://faktura.no
2015-11-03 13:49 GMT+01:00 Marek Posolda <mposolda(a)redhat.com>:
> On 03/11/15 09:32, Thomas Raehalme wrote:
>
> On Tue, Nov 3, 2015 at 10:23 AM, Stian Thorgersen < <sthorger(a)redhat.com>
> sthorger(a)redhat.com> wrote:
>
>> * Create service account for customers - they can then use this to
>> obtain a token (offline or standard refresh) using REST endpoints on
>> Keycloak
>>
>
> Sorry to step in, but could you please explain the use case or the
> reasoning for offline tokens on service accounts? If I have understood it
> correctly you'll still need clientId and secret to generate the access
> token from the offline token. Why not just use them to login whenever
> necessary? Thanks!
>
> We support offline tokens for service accounts because there is no reason
> (bad side effect) of not supporting it. Or at least I am not aware of any.
> Are you? Adding this support came "for free".
>
> One usecase when it can be useful is, for example if you have offline
> token and you don't know how was this offline token authenticated (if it
> was direct grant, service account or browser). You can send the refresh
> token request with this token regardless of the offline token type as the
> refreshToken endpoint is same for all cases.
>
> Marek
>
>
> Best regards,
> Thomas
>
>
>
>
> _______________________________________________
> keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
6:19 a.m.
I'm currently implementing the proxy solution.
Thanks for you help :-)
*Pål Orby*
UNIT4 Agresso AS
Programvareingeniør
Tlf: 22 58 85 00
Mobil: 900 91 705
SendRegning - Gjør det enkelt!
http://www.sendregning.no
http://facebook.com/sendregning
http://twitter.com/sendregning
http://faktura.no
2015-11-05 12:42 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com>:
On 3 November 2015 at 19:10, Pål Orby <orby(a)sendregning.no> wrote:
> Ok, so after reading the replies here I understand that it isn't offline
> tokens I'm looking for.
>
> The token I'm looking for is what I would call an "application token".
> Any plans implementing that?
>
No, we don't have any plans for that. However as I suggested you can
relatively easily provide that yourself by creating a client with service
account for a customer then create an offline token to send to them. Main
issue still stands though is that an offline token is not just a short "API
Key" it's a relatively big base64 string.
If you want a short "API Key" you'd need a proxy in front of your services
that can swap the key for the actual token.
>
> Example:
> If you enable two factor authentication on Github, you can't connect with
> username/password anymore in terminal or other 3. party applications
> integrated with GitHub without using an "application token" that you
create
> on your GitHub account page.
>
> /Pål
>
> *Pål Orby*
> UNIT4 Agresso AS
> Programvareingeniør
> Tlf: 22 58 85 00
> Mobil: 900 91 705
>
> SendRegning - Gjør det enkelt!
> http://www.sendregning.no
> http://facebook.com/sendregning
> http://twitter.com/sendregning
> http://faktura.no
>
> 2015-11-03 13:49 GMT+01:00 Marek Posolda <mposolda(a)redhat.com>:
>
>> On 03/11/15 09:32, Thomas Raehalme wrote:
>>
>> On Tue, Nov 3, 2015 at 10:23 AM, Stian Thorgersen <
>> <sthorger@redhat.com>sthorger(a)redhat.com> wrote:
>>
>>> * Create service account for customers - they can then use this to
>>> obtain a token (offline or standard refresh) using REST endpoints on
>>> Keycloak
>>>
>>
>> Sorry to step in, but could you please explain the use case or the
>> reasoning for offline tokens on service accounts? If I have understood it
>> correctly you'll still need clientId and secret to generate the access
>> token from the offline token. Why not just use them to login whenever
>> necessary? Thanks!
>>
>> We support offline tokens for service accounts because there is no
>> reason (bad side effect) of not supporting it. Or at least I am not aware
>> of any. Are you? Adding this support came "for free".
>>
>> One usecase when it can be useful is, for example if you have offline
>> token and you don't know how was this offline token authenticated (if it
>> was direct grant, service account or browser). You can send the refresh
>> token request with this token regardless of the offline token type as the
>> refreshToken endpoint is same for all cases.
>>
>> Marek
>>
>>
>> Best regards,
>> Thomas
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
5:38 a.m.
On 3 November 2015 at 09:32, Thomas Raehalme <
thomas.raehalme(a)aitiofinland.com> wrote:
On Tue, Nov 3, 2015 at 10:23 AM, Stian Thorgersen
<sthorger(a)redhat.com>
wrote:
> * Create service account for customers - they can then use this to obtain
> a token (offline or standard refresh) using REST endpoints on Keycloak
>
Sorry to step in, but could you please explain the use case or the
reasoning for offline tokens on service accounts? If I have understood it
correctly you'll still need clientId and secret to generate the access
token from the offline token. Why not just use them to login whenever
necessary? Thanks!
I wouldn't use offline tokens myself, but if you want to provide customers
with a "token" rather than a service account it should be an offline token.
Problem is that it'll be rather big, not just a short "api key".
Best regards,
Thomas
3334
days inactive
3340
days old
14 comments
5 participants
participants (5)
-
Bill Burke -
Marek Posolda -
Pål Orby -
Stian Thorgersen -
Thomas Raehalme