On 30/01/18 10:10, O'Callaghan, John wrote:
Hi Marek
Thanks for that info the token exchange feature looks interesting and might be a way for
me to solve my requirement. I didn’t see anything in the docs saying that I could use it
to get an offline token but it's worth a shot. Has anyone out there used this to get
offline tokens?
If this is possible then it would be the preferable option for me. The service accounts
option is a bit fiddly as I would need a separate service account for each user (at least
that’s how I think that would work). Unless it were possible to fully automate the
creation of these service accounts on demand, associate them with a specific user and then
grab their offline token.
Nope, service accounts are used for the case, when you
want to
authenticate on behalf of "client" application, not as any concrete
user. In some cases, it may be useful to use those service accounts to
perform some tasks not tight to any concrete user (EG. periodic tasks
etc). Just mentioned this for the case if it suits your usecase, but I
guess it doesn't...
Marek
I'll look further into option 1 and get back to you with how I get on.
Thanks again
John
Accenture Global Solutions Limited, 3 Grand Canal Plaza, Grand Canal Street Upper, Dublin
4
This e-mail and any files transmitted with it are confidential and are intended solely
for the use of the individual or entity to which they are addressed. If you have received
this e-mail in error, please notify the sender immediately and delete the original.
Communications with Accenture or any of its group companies (“Accenture”), including
telephone calls and e-mails, may be monitored by our systems for quality control and/or
evidential purposes. Accenture does not accept service by e-mail of court proceedings,
other processes or formal notices of any kind. Private company limited by shares
registered in Ireland, Number 554978
On 29/01/2018, 16:13, "Marek Posolda" <mposolda(a)redhat.com> wrote:
Not sure we have direct support for this. What we have is:
- Token Exchange service -- The new thing added in Keycloak 3.4 (I
think). It's available in Keycloak 3.4.3 for sure. It can be possibly
used to exchange the token of authenticated admin for the token of user
(Impersonation of tokens). Not 100% sure if it's possible. It's new
thing and I am still not too familiar with it. You can take a look at
docs and see...
- Service accounts -- Authenticate on behalf of some client and issue
token assigned to client, not to concrete user. Not sure if it suits
your needs, just pointing this if you're not aware of that possibility.
- If none of previous things can be used, you can create your own custom
Authenticator and setup it as Direct Access Grant Flow. The
authenticator will somehow allow you to authenticate as any user if you
prove your admin identity. Also you can create your own REST endpoint
for exchange admin token for the offline token of user (That's also
workaround). These possibilities will 100% work, but it's workaround and
it's also complicated to do (You would need to code the new
authenticator implementation). So would use it just as last fallback.
Marek
On 29/01/18 12:31, O'Callaghan, John wrote:
> Hi
>
> I’m hoping someone can help with a question I have around offline tokens. I
would like to be able to generate offline tokens for users of my system. At the moment the
only way I can see to be able to create an offline token is to POST to
“/realms/<name>/protocol/openid-connect/token“ with a scope : “offline_access” and
pass in their username/password.
>
> This works fine if I am asking users to create their own offline tokens, but
what I would like to be able to do is allow an admin user to create these offline tokens
for users on request (without knowing their password). Is this possible? I have had a
look in the REST api and didn’t see anything there but maybe its not documented?
>
> Many thanks!
> John
>
>
>
>
> Accenture Global Solutions Limited, 3 Grand Canal Plaza, Grand Canal Street
Upper, Dublin 4
> This e-mail and any files transmitted with it are confidential and are intended
solely for the use of the individual or entity to which they are addressed. If you have
received this e-mail in error, please notify the sender immediately and delete the
original. Communications with Accenture or any of its group companies (“Accenture”),
including telephone calls and e-mails, may be monitored by our systems for quality control
and/or evidential purposes. Accenture does not accept service by e-mail of court
proceedings, other processes or formal notices of any kind. Private company limited by
shares registered in Ireland, Number 554978
>
> ________________________________
>
> This message is for the designated recipient only and may contain privileged,
proprietary, or otherwise confidential information. If you have received it in error,
please notify the sender immediately and delete the original. Any other use of the e-mail
by you is prohibited. Where allowed by local law, electronic communications with Accenture
and its affiliates, including e-mail and instant messaging (including content), may be
scanned by our systems for the purposes of information security and assessment of internal
compliance with Accenture policy.
>
______________________________________________________________________________________
>
>
www.accenture.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...