[keycloak-dev] apps access to and refresh of facebook tokens

Bill Burke bburke at redhat.com
Thu Feb 26 12:09:09 EST 2015



On 2/26/2015 11:09 AM, Pedro Igor Silva wrote:
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Thursday, February 26, 2015 12:42:19 PM
>> Subject: [keycloak-dev] apps access to and refresh of facebook tokens
>>
>> At least for openid connect, I think we hashed this through on our dev
>> call today.
>>
>> * There will be a Protocol Claim Mapper that can add a facebook token
>> and expiration claim to the application's access token.
>
> I would create a specific claim set for that instead of individual claims. Something like:
>
> "k_act" : {
>      "identity-provider": {
>          "id" : "facebook",
>          "access_token": "12312312",
>          "expires": "12312321"
>      }
> }
>
> (k_act : keycloak authentication context)
>
> That way we can use this k_act for exchange information regarding the authentication context when issuing access tokens or even id tokens.
>

Yeah, token mapping be able to generate any json you want.

>> * the refreshToken endpoint will accept a "scope" parameter.  The
>> application can then request the refresh of any external token by
>> specifying this token in the "scope parameter.
>
> I was thinking about adding a refreshToken endpoint to the identity broker. Isn't better ?
>

A different endpoint would require the identity broker to know if the 
app has permission to request it. Also, with my idea, you can refresh 
multiple things with one request.

 From an application perspective we can provide a 
KeycloakSecurityContext.refreshToken(String... scope) method, then the 
app has one place to request the refresh of one or more claims.

i.e.

token = context.refreshToken("facebook", "google");

String facebookToken = token.getClaim("broker.facebook.token");


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list