[keycloak-dev] offline access
Bill Burke
bburke at redhat.com
Thu Apr 9 09:02:42 EDT 2015
On 4/9/2015 8:01 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Marek Posolda" <mposolda at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>, "Bill Burke" <bburke at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Friday, 3 April, 2015 4:02:04 PM
>> Subject: Re: [keycloak-dev] offline access
>>
>> Maybe we should use name "offline tokens" to not confuse them with
>> classic "refresh tokens" ? Refresh tokens are used to refresh access
>> token and they are always tight to user session, when "offline tokens"
>> are not tight to user session.
>
> I don't think there's anything in OpenID Connect that ties a refresh token to a user session, that's just what we've done.
>
> See http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
>
That's not the way I read it. There wouldn't be a section within OIDC
about offline access if the refresh token wasn't assumed to be a part of
a session. IMO, "offline" is really just a persisted user/client
session. It is governed by the same exact rules as regular user
sessions. A client just needs permission to do it. You would need to
store the same exact metadata for "offline" sessions as you would for
"online" ones. What additional information is needed for "offline"?
Again, this boils down in my opinion to just the current user session
being cloned into a persisted "offline" session.
Admin console screens should be the same for "offline" and user
sessions. Main realm session screen has list of applications and the
number of their online and offline sessions. Same with the
application's session page.
The user session page has a list of sessions with an "offline" column
checked on or off. This is the same for user account page.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list