[keycloak-dev] Shouldn't external token by stored in UserSession?

Stian Thorgersen stian at redhat.com
Tue Mar 24 01:33:16 EDT 2015


It's not always specific to a UserSession. The tokens obtained from a provider may be offline tokens to provide permanent access. For example if an application wants permanent access to Google and Facebook those providers can be configured with the offline scope, which would provide access even if the user didn't log-in the current session with either of those providers.

A logged in user could have one token that's used to login a specific session, but also a number of other tokens that have not been used to login the specific session, but that has been used in the past, or was used when setting up the link initially.

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Monday, 23 March, 2015 3:10:56 PM
> Subject: [keycloak-dev] Shouldn't external token by stored in UserSession?
> 
> Why is the external token stored in actual user storage
> (FederatedIdentityModel).  The token is really something specific to the
> UserSession and belongs there.
> 
> Also, there may not be one single item for "external token".  For
> example, OIDC has both an IDToken and access token.  The IDToken is
> actually used to perform a logout according to the OIDC logout profile.
> 
> Right now, our code is storing the AccessTokenResponse for OIDC, and the
> entire login response for SAML.
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 


More information about the keycloak-dev mailing list