[keycloak-dev] Identity Brokering token storage and retrieval
mposolda at redhat.com
Thu Apr 23 05:31:25 EDT 2015
On 23.4.2015 07:52, Stian Thorgersen wrote:
> Any comments on this?
> ----- Original Message -----
>> From: "Stian Thorgersen" <stian at redhat.com>
>> To: "keycloak dev" <keycloak-dev at lists.jboss.org>
>> Sent: Monday, 20 April, 2015 9:08:13 AM
>> Subject: [keycloak-dev] Identity Brokering token storage and retrieval
>> We've already discussed this, but didn't come to a conclusion.
>> There's two separate use-cases to consider:
>> 1. Authentication
>> 2. Offline access
>> For simplicity the examples below assumes OpenID Connect, but same logic
>> applies to SAML.
>> In this case user authenticates using an external IdP. After the user has
>> authenticated the access and refresh (if available) tokens are stored in
>> user session. Tokens are automatically refreshed by Keycloak to support
>> brokered log out. In this case an application can only retrieve an access
>> token for the identity provider that was used to authenticate the user.
>> Offline access
>> In this case we should add the option "offline access" to the provider
>> config. When enabled we add "offline" to the requested scope. When a user
>> first logs in or links through account mngmt we store the refresh token (aka
>> "offline token") in the user store. As this is a long term token I don't see
>> any problems using the user store for it. In this case an application can
>> retrieve an access token for the identity provider that was used to
>> authenticate the user, but also for an identity providers what have "offline
>> access" enabled and there's an token store in the user store. One issue with
>> this approach is that brokered log out doesn't work. A potential solution to
>> that is that we only request offline access when linking the account, but
>> during authentication don't add the offline scope and use the process from
>> the first use-case.
I believe that brokered logout will work as long as we store the flag on
UserSession specifying which identity provider was used to authenticate
the user in particular session?
For example if Google was used to authenticate user and Google offline
token was obtained during this authentication, then Keycloak logout will
propagate logout to the Google provider and invalidate Google offline
token as well. But if Google wasn't used for authenticating user in that
particular session (user already had offline Google token linked
previously to his account), then Keycloak logout won't propagate logout
to the Google and won't invalidate offline token.
>> Token retrieval
>> We add a "token service" client to Keycloak that has a "retrieve token" role
>> for each provider. For an application to be able to retrieve the token the
>> user has to have a role mapping on this role and the client has to have a
>> scope on it as well. This results in using standard roles, scopes and
>> consent screens instead of a different mechanism.
>> For 1.2.0 we should only add support for the "Authentication" use case. I
>> believe we pretty much already have this as Bill did this to support
>> brokered log out. Only thing we need to change is how we manage if a client
>> has access to retrieve the token or not. We should just jira the other
>> use-case and add if it's requested by users.
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
More information about the keycloak-dev