[keycloak-dev] Identity Brokering token storage and retrieval

Stian Thorgersen stian at redhat.com
Thu Apr 23 06:40:31 EDT 2015 


----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>, "keycloak dev" <keycloak-dev at lists.jboss.org>, "Bill Burke"
> <bburke at redhat.com>
> Sent: Thursday, 23 April, 2015 11:31:25 AM
> Subject: Re: [keycloak-dev] Identity Brokering token storage and retrieval
> 
> On 23.4.2015 07:52, Stian Thorgersen wrote:
> > Any comments on this?
> >
> > ----- Original Message -----
> >> From: "Stian Thorgersen" <stian at redhat.com>
> >> To: "keycloak dev" <keycloak-dev at lists.jboss.org>
> >> Sent: Monday, 20 April, 2015 9:08:13 AM
> >> Subject: [keycloak-dev] Identity Brokering token storage and retrieval
> >>
> >> We've already discussed this, but didn't come to a conclusion.
> >>
> >> There's two separate use-cases to consider:
> >>
> >> 1. Authentication
> >> 2. Offline access
> >>
> >> For simplicity the examples below assumes OpenID Connect, but same logic
> >> applies to SAML.
> >>
> >>
> >> Authentication
> >> --------------
> >> In this case user authenticates using an external IdP. After the user has
> >> authenticated the access and refresh (if available) tokens are stored in
> >> user session. Tokens are automatically refreshed by Keycloak to support
> >> brokered log out. In this case an application can only retrieve an access
> >> token for the identity provider that was used to authenticate the user.
> >>
> >>
> >> Offline access
> >> --------------
> >> In this case we should add the option "offline access" to the provider
> >> config. When enabled we add "offline" to the requested scope. When a user
> >> first logs in or links through account mngmt we store the refresh token
> >> (aka
> >> "offline token") in the user store. As this is a long term token I don't
> >> see
> >> any problems using the user store for it. In this case an application can
> >> retrieve an access token for the identity provider that was used to
> >> authenticate the user, but also for an identity providers what have
> >> "offline
> >> access" enabled and there's an token store in the user store. One issue
> >> with
> >> this approach is that brokered log out doesn't work. A potential solution
> >> to
> >> that is that we only request offline access when linking the account, but
> >> during authentication don't add the offline scope and use the process from
> >> the first use-case.
> I believe that brokered logout will work as long as we store the flag on
> UserSession specifying which identity provider was used to authenticate
> the user in particular session?
> 
> For example if Google was used to authenticate user and Google offline
> token was obtained during this authentication, then Keycloak logout will
> propagate logout to the Google provider and invalidate Google offline
> token as well. But if Google wasn't used for authenticating user in that
> particular session (user already had offline Google token linked
> previously to his account), then Keycloak logout won't propagate logout
> to the Google and won't invalidate offline token.

I don't think we should invalidate an offline token on logout. That should only be done by unlinking in the account management.

We could request offline scope online when linking, which is stored in user store. If someone logs in with the same provider we don't request offline and store that token in user session.

> >>
> >>
> >> Token retrieval
> >> ---------------
> >> We add a "token service" client to Keycloak that has a "retrieve token"
> >> role
> >> for each provider. For an application to be able to retrieve the token the
> >> user has to have a role mapping on this role and the client has to have a
> >> scope on it as well. This results in using standard roles, scopes and
> >> consent screens instead of a different mechanism.
> +1
> 
> Marek
> >>
> >>
> >> For 1.2.0 we should only add support for the "Authentication" use case. I
> >> believe we pretty much already have this as Bill did this to support
> >> brokered log out. Only thing we need to change is how we manage if a
> >> client
> >> has access to retrieve the token or not. We should just jira the other
> >> use-case and add if it's requested by users.
> >>
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 
>

More information about the keycloak-dev mailing list