[keycloak-dev] Identity Brokering token storage and retrieval
Marek Posolda
mposolda at redhat.com
Thu Apr 23 12:53:43 EDT 2015
On 23.4.2015 16:30, Bill Burke wrote:
>
>
> On 4/23/2015 10:12 AM, Stian Thorgersen wrote:
>>
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke at redhat.com>
>>> To: "Stian Thorgersen" <stian at redhat.com>, "Marek Posolda"
>>> <mposolda at redhat.com>
>>> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
>>> Sent: Thursday, 23 April, 2015 3:07:21 PM
>>> Subject: Re: [keycloak-dev] Identity Brokering token storage and
>>> retrieval
>>>
>>>
>>>
>>> On 4/23/2015 6:40 AM, Stian Thorgersen wrote:
>>>>
>>>>
>>>> ----- Original Message -----
>>>>> From: "Marek Posolda" <mposolda at redhat.com>
>>>>> To: "Stian Thorgersen" <stian at redhat.com>, "keycloak dev"
>>>>> <keycloak-dev at lists.jboss.org>, "Bill Burke"
>>>>> <bburke at redhat.com>
>>>>> Sent: Thursday, 23 April, 2015 11:31:25 AM
>>>>> Subject: Re: [keycloak-dev] Identity Brokering token storage and
>>>>> retrieval
>>>>>
>>>>> On 23.4.2015 07:52, Stian Thorgersen wrote:
>>>>>> Any comments on this?
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>> From: "Stian Thorgersen" <stian at redhat.com>
>>>>>>> To: "keycloak dev" <keycloak-dev at lists.jboss.org>
>>>>>>> Sent: Monday, 20 April, 2015 9:08:13 AM
>>>>>>> Subject: [keycloak-dev] Identity Brokering token storage and
>>>>>>> retrieval
>>>>>>>
>>>>>>> We've already discussed this, but didn't come to a conclusion.
>>>>>>>
>>>>>>> There's two separate use-cases to consider:
>>>>>>>
>>>>>>> 1. Authentication
>>>>>>> 2. Offline access
>>>>>>>
>>>>>>> For simplicity the examples below assumes OpenID Connect, but
>>>>>>> same logic
>>>>>>> applies to SAML.
>>>>>>>
>>>>>>>
>>>>>>> Authentication
>>>>>>> --------------
>>>>>>> In this case user authenticates using an external IdP. After the
>>>>>>> user
>>>>>>> has
>>>>>>> authenticated the access and refresh (if available) tokens are
>>>>>>> stored in
>>>>>>> user session. Tokens are automatically refreshed by Keycloak to
>>>>>>> support
>>>>>>> brokered log out. In this case an application can only retrieve an
>>>>>>> access
>>>>>>> token for the identity provider that was used to authenticate
>>>>>>> the user.
>>>>>>>
>>>>>>>
>>>>>>> Offline access
>>>>>>> --------------
>>>>>>> In this case we should add the option "offline access" to the
>>>>>>> provider
>>>>>>> config. When enabled we add "offline" to the requested scope.
>>>>>>> When a
>>>>>>> user
>>>>>>> first logs in or links through account mngmt we store the
>>>>>>> refresh token
>>>>>>> (aka
>>>>>>> "offline token") in the user store. As this is a long term token
>>>>>>> I don't
>>>>>>> see
>>>>>>> any problems using the user store for it. In this case an
>>>>>>> application
>>>>>>> can
>>>>>>> retrieve an access token for the identity provider that was used to
>>>>>>> authenticate the user, but also for an identity providers what have
>>>>>>> "offline
>>>>>>> access" enabled and there's an token store in the user store.
>>>>>>> One issue
>>>>>>> with
>>>>>>> this approach is that brokered log out doesn't work. A potential
>>>>>>> solution
>>>>>>> to
>>>>>>> that is that we only request offline access when linking the
>>>>>>> account,
>>>>>>> but
>>>>>>> during authentication don't add the offline scope and use the
>>>>>>> process
>>>>>>> from
>>>>>>> the first use-case.
>>>>> I believe that brokered logout will work as long as we store the
>>>>> flag on
>>>>> UserSession specifying which identity provider was used to
>>>>> authenticate
>>>>> the user in particular session?
>>>>>
>>>>> For example if Google was used to authenticate user and Google
>>>>> offline
>>>>> token was obtained during this authentication, then Keycloak
>>>>> logout will
>>>>> propagate logout to the Google provider and invalidate Google offline
>>>>> token as well. But if Google wasn't used for authenticating user
>>>>> in that
>>>>> particular session (user already had offline Google token linked
>>>>> previously to his account), then Keycloak logout won't propagate
>>>>> logout
>>>>> to the Google and won't invalidate offline token.
>>>>
>>>> I don't think we should invalidate an offline token on logout. That
>>>> should
>>>> only be done by unlinking in the account management.
>>>>
>>>> We could request offline scope online when linking, which is stored
>>>> in user
>>>> store. If someone logs in with the same provider we don't request
>>>> offline
>>>> and store that token in user session.
>>>>
>>>
>>> If offline is implemented as a persisted clone of UserSession, then
>>> there is no extra work to be done. UserSession already stores the
>>> broker that logged in the user. note.BROKER_PROVIDER_ID.
>>
>> There's two separate "offline" though:
>>
>> 1. App request offline access from Keycloak - this one makes with
>> persisted clone of UserSession
>> 2. Keycloak requests offline token from external IdP - how would this
>> work with persisted clone of UserSession?
>>
>
> Why would Keycloak ever want an offline token? Or an offline token
> not associated with a UserSession? They only thing I could think of
> is if you want to bypass logging into the external IDP.
>
> FYI, I think you're getting into some extreme edge cases. Something I
> have no interest in implementing.
>
I think it is about the possibility to use all the 3rd party tokens in
one application. For example I have application secured by Keycloak,
which wants to display list of my friends from Facebook and also from
Google. On Monday I login into the application through Google. On
Tuesday I login into that application from Facebook, but I still want to
display my friends from both Facebook and Google. So application would
need to have possibility to reuse the token obtained from Google the
previous day.
Note that I want offline token from Google, but I don't need offline
UserSession from Keycloak itself. Both Keycloak sessions from Monday and
Tuesday are short lived (ie. I spent just 5 minutes playing with my
application every day)
Marek
More information about the keycloak-dev
mailing list