On 29/03/17 13:43, Benjamin Zaitlen wrote:
Any thoughts on this?
--Ben
On Fri, Mar 24, 2017 at 5:20 PM, Benjamin Zaitlen <quasiben(a)gmail.com>
wrote:
> Hi All,
>
> I'm having some trouble with sessions, clients, and offline access
> tokens. Let's say I have a client (APP 1) and I've logged in with OIDC. I
> now have a refresh_token and session for APP 1. Using the auth code flow I
> can generate an offline_access token (refresh_token) for a second client:
> APP 2. When I look in *realms/myrealm/account/sessions, *I see one
> session but two clients. At first I thought, great! I was able to get the
> auth code flow working and I generated a refresh token for a second client.
>
> But then disaster set in, when I logged out of the APP 1 client with the
> URL: *protocol/openid-connect/logout.* I was logged out the session which
> included the* second client* and thus the offline access token for APP 2
> was effectively revoked.
>
> I've seen a handful of JIRAs related to offline access tokens and logouts
> but I think they don't quite cover this usecase. I have two questions:
>
> 1. Is it possible, using the auth code flow, to generate a refresh token
> in separate session. That is can APP 1 generate an offline_access token for
> APP 2 in a separate session without re-authenticating?
Once you logged to your
APP 2, you have both online session, which is
part of SSO login (hence you are able to browse APP 2 with your browser)
and offline session. After login to APP 2, you need to somehow save your
offline token for later use, which is responsibility of your APP 2.
SSO logout will clear your browser session, but offline token will be
still valid and can be used for further refreshes. Offline token will
also survive server restart.
You can take a look at the example in the keycloak-examples distribution
under "preconfigured-demo/offline-access-app" , which also does logout
of browser session (or server restart), but offline token is still valid.
>
> 2. Can I logout a specific client for a session by passing additional
> parameters in the logout URL ?
Nope, Logout is always global SSO logout as it
clears the userSession on
the Keycloak side. Assume that when the "global" userSession is not
cleared, then the single logged-out client will be still always able to
login anytime due to SSO session, hence logout would be a bit pointless
though?
Marek
>
> Thanks,
> --Ben
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user