[keycloak-dev] apps access to and refresh of facebook tokens
Marek Posolda
mposolda at redhat.com
Fri Feb 27 11:56:11 EST 2015
As mentioned in other mails, there might be an issue if provider doesn't
support refreshing tokens via out-of-bound request as mentioned in
specs. Which seems to be the case of Facebook:-(
It looks the only possibility to refresh expired FB access token is
browser redirection.
Marek
On 27.2.2015 16:57, Bill Burke wrote:
> On 2/27/2015 1:08 AM, Stian Thorgersen wrote:
>> I just think we're making something quite simple into something a lot more complex for no benefit.
>>
> I think you are making our design more complex or less performant than
> it needs to be. I don't want a specific endpoint just to refresh a
> token for a specific broker. We're also going to want to embed nested
> access tokens for specific keycloak nested application invocations. I
> don't want a separate REST service just for that too.
>
> I also want nested REST invocations to work without having to invoke on
> the auth server for every request. The access token should have
> everything the application needs so that it can reduce traffic with the
> server. What if a stateless, bearer-only REST services needs the
> facebook token? If we're talking Javascript apps, then the backend will
> be entirely bearer-only stateless REST services.
>
> I don't want to require adapter specific configuration.
>
> I the vast majority of cases, I think facebook token refreshing can be
> handled automatically by the adapter and the auth-server-side configured
> token policies. We can make the facebook token policy have different
> configuration options to:
>
> * never to refresh the token
> * modify the access token's expiration to sync with the facebook one.
>
> We could add a "scope" parameter to refreshToken endpoint to give a hint
> to the facebook token policy on whether it needs to refresh or not.
>
> Finally, every refreshAccessToken invocation gives the auth-server the
> opportunity to recheck revocation policies and upgrade/downgrade the
> user's and application's permissions.
>
More information about the keycloak-dev
mailing list