[keycloak-dev] apps access to and refresh of facebook tokens
Marek Posolda
mposolda at redhat.com
Mon Mar 2 07:27:20 EST 2015
On 27.2.2015 18:23, Bill Burke wrote:
> A few more thoughts:
>
> * Why wouldn't we just ask for long-lived tokens with a social login?
> Why wouldn't we set the max SSO session to be shorter than the
> long-lived token timeout? Then there is no refresh logic required
>
> * Google uses refresh tokens.
>
> * I don't think Twitter expires access tokens :)
>
> * You could handle this generically without specific broker knowledge.
> AccessTokenResponse from a refreshToken call could just state that the
> adapter must redirect back to the auth server in order to execute the
> refresh.
Yeah, however if you are brokering for example to 2nd Keycloak server,
you probably don't want to redirect. As accessTokenTimeout in 2nd
Keycloak would be like 1 minute, so adapter will need to redirect very
often...
I was thinking that identity provider can specify if it supports
refreshing of tokens or not. Then:
* For providers supporting refreshing token, adapter can handle it by
Out-of-bound request to auth-server and auth-server can send out-of-band
request to brokered provider to refresh 3rdp party token
* For providers not supporting refreshing token (like Facebook) adapter
would need to redirect
But I don't know, maybe we don't need redirection support at all? If all
other providers instead of Facebook supports refreshing tokens, we can
handle all of those by OOB request and for Facebook use long-lived tokens?
Marek
>
> On 2/27/2015 12:09 PM, Bill Burke wrote:
>> FYI, Facebook has 2 types of tokens:
>>
>> * short lived..usually last for hours
>> * long lived usually lasts for 60 days
>>
>> As Marek pointed out, token refreshes require a browser redirect for
>> Facebook. Knowing that, a REST service is not going to be able to
>> refresh a facebook token. Let's take this further with an example.
>>
>> You have a "Contact-List" service that obtains a list of contacts from a
>> social provider. You have a separate Javascript application that wants
>> to display a list of contacts. The "Contact-List" service has to know
>> the token and the social provider type.
>>
>> So given the above, the Javascript application would have to manage
>> facebook tokens. How would that even work? It would have to be done
>> without the Javascript app losing its state.
>>
>> On 2/27/2015 10:57 AM, Bill Burke wrote:
>>> On 2/27/2015 1:08 AM, Stian Thorgersen wrote:
>>>> I just think we're making something quite simple into something a lot more complex for no benefit.
>>>>
>>> I think you are making our design more complex or less performant than
>>> it needs to be. I don't want a specific endpoint just to refresh a
>>> token for a specific broker. We're also going to want to embed nested
>>> access tokens for specific keycloak nested application invocations. I
>>> don't want a separate REST service just for that too.
>>>
>>> I also want nested REST invocations to work without having to invoke on
>>> the auth server for every request. The access token should have
>>> everything the application needs so that it can reduce traffic with the
>>> server. What if a stateless, bearer-only REST services needs the
>>> facebook token? If we're talking Javascript apps, then the backend will
>>> be entirely bearer-only stateless REST services.
>>>
>>> I don't want to require adapter specific configuration.
>>>
>>> I the vast majority of cases, I think facebook token refreshing can be
>>> handled automatically by the adapter and the auth-server-side configured
>>> token policies. We can make the facebook token policy have different
>>> configuration options to:
>>>
>>> * never to refresh the token
>>> * modify the access token's expiration to sync with the facebook one.
>>>
>>> We could add a "scope" parameter to refreshToken endpoint to give a hint
>>> to the facebook token policy on whether it needs to refresh or not.
>>>
>>> Finally, every refreshAccessToken invocation gives the auth-server the
>>> opportunity to recheck revocation policies and upgrade/downgrade the
>>> user's and application's permissions.
>>>
More information about the keycloak-dev
mailing list