[keycloak-dev] offline access

Stian Thorgersen stian at redhat.com
Wed Apr 1 13:26:06 EDT 2015

I'm not to keen on that idea.

offline is a standard scope in OIDC and an application requests this when first retrieving the token. When an application retrieves a refresh token with the offline scope set it should not be linked with the user session. Instead it should be stored permanently as the application now should have permanent offline access to the users account. If a user decides to revoke the applications access that should be done by going to the account management console and viewing client that have access to their account. This page should list all available clients, what clients have persisted grants, as well as what clients have offline access to their account. From the same page they should be able to revoke access from any client.

As user sessions are not persisted they are not suitable to store offline tokens. Offline tokens will often have a very long expiration time, a year or even no expiration time at all (only manual revoking).

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Wednesday, 1 April, 2015 4:53:45 PM
> Subject: [keycloak-dev] offline access
> Wanted to discuss again how offline access might be implemented.  IMO,
> offline access should be a REST api.  Clients would request offline
> access and the UserSession would be cloned and the ClientSession would
> be cloned for that particular client.  ID, Access token and refresh
> token would also be regenerated and sent back with the response.
> With this approach, the admin console and user account session
> management pages will just work.  These pages will just work they way
> they already work with no extra changes.
> Additionally, we would want to allow different session timeouts for
> offline access.
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list