[keycloak-dev] offline access

Stian Thorgersen stian at redhat.com
Thu Apr 2 07:52:54 EDT 2015

Had an idea about offline tokens.

When a user grants a client access we need to start persisting that so we don't ask the user again and again for the same permissions to be given to the application. This has to be stored permanently and not in user session. That's the mechanism we should use for offline tokens.

When a user grants an application offline access that grant is persisted. This should be a special role. The grant should have an id and consist of: grant_id, user_id, client_id, role_id. If a refresh token has the offline scope it doesn't have to refer to a user session (or client session). Instead all the required information should be kept in the refresh token. The refresh token has a reference to the grant_id. If the grant with the specific grant_id exists we know the user hasn't revoked the access for the application. If it doesn't exist we know the user has revoked the access and the "offline" refresh token is invalid.

----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Wednesday, 1 April, 2015 7:26:06 PM
> Subject: Re: [keycloak-dev] offline access
> I'm not to keen on that idea.
> offline is a standard scope in OIDC and an application requests this when
> first retrieving the token. When an application retrieves a refresh token
> with the offline scope set it should not be linked with the user session.
> Instead it should be stored permanently as the application now should have
> permanent offline access to the users account. If a user decides to revoke
> the applications access that should be done by going to the account
> management console and viewing client that have access to their account.
> This page should list all available clients, what clients have persisted
> grants, as well as what clients have offline access to their account. From
> the same page they should be able to revoke access from any client.
> As user sessions are not persisted they are not suitable to store offline
> tokens. Offline tokens will often have a very long expiration time, a year
> or even no expiration time at all (only manual revoking).
> ----- Original Message -----
> > From: "Bill Burke" <bburke at redhat.com>
> > To: keycloak-dev at lists.jboss.org
> > Sent: Wednesday, 1 April, 2015 4:53:45 PM
> > Subject: [keycloak-dev] offline access
> > 
> > Wanted to discuss again how offline access might be implemented.  IMO,
> > offline access should be a REST api.  Clients would request offline
> > access and the UserSession would be cloned and the ClientSession would
> > be cloned for that particular client.  ID, Access token and refresh
> > token would also be regenerated and sent back with the response.
> > 
> > With this approach, the admin console and user account session
> > management pages will just work.  These pages will just work they way
> > they already work with no extra changes.
> > 
> > Additionally, we would want to allow different session timeouts for
> > offline access.
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list