[keycloak-dev] offline access

Marek Posolda mposolda at redhat.com
Fri Apr 3 10:02:04 EDT 2015 

Maybe we should use name "offline tokens" to not confuse them with 
classic "refresh tokens" ? Refresh tokens are used to refresh access 
token and they are always tight to user session, when "offline tokens" 
are not tight to user session.

Also IMO it should be possible that user grants access to client for 
store offline tokens in account management, not just on consent screen 
after login.

I think one of the important usecases for offline tokens would be long 
running non-web services (For example daemon service, which is running 
in background and doing periodic task on behalf of user once per day). 
Hence we should have possibility to grant offline tokens also to non-web 
applications (in other words, via Direct Access Grant). In this case, 
user might need to grant the access to the application in advance via 
Account mgmt.

Marek

On 2.4.2015 13:52, Stian Thorgersen wrote:
> Had an idea about offline tokens.
>
> When a user grants a client access we need to start persisting that so we don't ask the user again and again for the same permissions to be given to the application. This has to be stored permanently and not in user session. That's the mechanism we should use for offline tokens.
>
> When a user grants an application offline access that grant is persisted. This should be a special role. The grant should have an id and consist of: grant_id, user_id, client_id, role_id. If a refresh token has the offline scope it doesn't have to refer to a user session (or client session). Instead all the required information should be kept in the refresh token. The refresh token has a reference to the grant_id. If the grant with the specific grant_id exists we know the user hasn't revoked the access for the application. If it doesn't exist we know the user has revoked the access and the "offline" refresh token is invalid.
>
> ----- Original Message -----
>> From: "Stian Thorgersen" <stian at redhat.com>
>> To: "Bill Burke" <bburke at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Wednesday, 1 April, 2015 7:26:06 PM
>> Subject: Re: [keycloak-dev] offline access
>>
>> I'm not to keen on that idea.
>>
>> offline is a standard scope in OIDC and an application requests this when
>> first retrieving the token. When an application retrieves a refresh token
>> with the offline scope set it should not be linked with the user session.
>> Instead it should be stored permanently as the application now should have
>> permanent offline access to the users account. If a user decides to revoke
>> the applications access that should be done by going to the account
>> management console and viewing client that have access to their account.
>> This page should list all available clients, what clients have persisted
>> grants, as well as what clients have offline access to their account. From
>> the same page they should be able to revoke access from any client.
>>
>> As user sessions are not persisted they are not suitable to store offline
>> tokens. Offline tokens will often have a very long expiration time, a year
>> or even no expiration time at all (only manual revoking).
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke at redhat.com>
>>> To: keycloak-dev at lists.jboss.org
>>> Sent: Wednesday, 1 April, 2015 4:53:45 PM
>>> Subject: [keycloak-dev] offline access
>>>
>>> Wanted to discuss again how offline access might be implemented.  IMO,
>>> offline access should be a REST api.  Clients would request offline
>>> access and the UserSession would be cloned and the ClientSession would
>>> be cloned for that particular client.  ID, Access token and refresh
>>> token would also be regenerated and sent back with the response.
>>>
>>> With this approach, the admin console and user account session
>>> management pages will just work.  These pages will just work they way
>>> they already work with no extra changes.
>>>
>>> Additionally, we would want to allow different session timeouts for
>>> offline access.
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list