[keycloak-dev] Offline tokens

Stian Thorgersen stian at redhat.com
Mon Aug 31 05:37:13 EDT 2015



----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Friday, 21 August, 2015 1:30:16 PM
> Subject: [keycloak-dev] Offline tokens
> 
> Some thoughts around offline tokens impl:
> 
> - Client has switch "Allow offline tokens" . Offline token can be
> requested just if the switch is enabled
> 
> - Offline token can be requested if parameter "scope=offline" is sent.
> Offline token is sent alone, no IDToken or refreshToken is sent together
> with it.
> Question: Should be offline tokens available just for
> ResourceOwnerPasswordCredentials and ServiceAccounts or also for classic
> web based authorization code flow?

An offline token is just a refresh token, but without any expiration. For an offline token the response should be exactly the same as a non-offline token, except the refresh token has no expiration time.

> 
> - There are methods on UserModel to track which offline tokens were
> issued for particular user. Like:
> 
> List<String> getOfflineTokens();
> void addOfflineToken(String offlineToken);
> void removeOfflineToken(String offlineToken);
> 
> - Offline token will never expire. Or should we eventually add another
> timeout for offline token (With some big default value like 1 month or so)?

Shouldn't expire, it's a permanent access until manually revoked

> 
> - Offline token is not refreshable.

Not sure what you mean, but a offline token is a refresh token without expiration. An offline token should never be sent to a service, instead it should be used to obtain an access token.

> 
> - Offline token can be validated by current OIDC endpoint for token
> validation. Offline token is not valid if UserModel doesn't have token
> anymore on it. But offline token is still valid even if corresponding
> UserSession doesn't exist. So we can still have offline tokens valid for
> 1 year even if SsoSessionMaxLifespan is just 10 hours.

OIDC endpoint for token validation validates an access token, not the refresh token. So I don't think it should be possible to validate it.

> 
> - Offline token can be logged out. Logout will remove offline token from
> corresponding UserModel.

Not sure what this means - an offline token can be revoked by a user. There's no log out as such.

> 
> - In Account management applications page can user see list of offline
> tokens issued for individual clients and he can revoke them. Not sure if
> put another "Revoke offline token" or use current "Revoke grant" action,
> which will revoke both consents and offline tokens?

Each application should have a list of what access it has. Where offline access is one of the "permissions" the app has. Each application should have a single button "Revoke application access", which removes grants as well as invalidates all offline tokens.

> 
> - Admin can see the offline tokens for user in admin console and can
> revoke them too . Current button "Logout All" in sessions tab will
> revoke offline tokens from all users . For performance reasons, we may
> need method on UserProvider, so it's possible to clean whole DB table
> "OFFLINE_TOKEN" (similarly for mongo) instead of iterating through all
> users.

"Logout All" in sessions tabs should not revoke offline tokens.

> 
> - For adapters, we should likely have an option, so the REST endpoint
> adapter has possibility to validate offline token by always sending
> validation request to KC server. We didn't need it for access tokens,
> which are valid just for 1 minute or so, but offline tokens are long
> lived so adapter should have this possibility IMO.

Again, offline tokens should not be sent to services. Instead they should send access tokens that are obtained from an offline token.

> 
> WDYT?
> 
> Marek
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 


More information about the keycloak-dev mailing list