[keycloak-dev] Offline tokens - step 1

Marek Posolda mposolda at redhat.com
Mon Sep 21 09:04:30 EDT 2015


On 21/09/15 14:43, Bill Burke wrote:
>
> On 9/21/2015 6:06 AM, Marek Posolda wrote:
>> I've sent the PR . Right now it works like this:
>>
>> - ClientModel has flag "offlineTokensEnabled" . It's possible to
>> retrieve offline tokens just if flag is enabled
>>
>> - Offline token is classic refresh token with 2 differences. It has type
>> "OFFLINE" when normal refresh token has type "REFRESH" . And for offline
>> token, the expiration value is 0, so it never expires.
>>
>> - Offline token is generated by auth-server when client sends
>> "scope=offline_access" . It's supported for classic browser flow, but
>> also for Direct Grant flow or Service account flow.
>>
>> - I've added OfflineClientSessionModel and OfflineUserSessionModel with
>> CRUD methods on UserModel. So when new offline token is generated by
>> Keycloak, some info about current UserSession and ClientSession is
>> persisted on UserModel. This means that offline token can be used to
>> create new access token even if "normal" UserSession and ClientSession
>> are already invalid or logged out.
>>
> You have to move this out of UserModel.  UserModel may be backed 99% by
> a UserFederationProvider.  In the near future, UserFederationProvider
> users may all sit in memory for only the lifetime of the session.
>
>
Does it makes sense to issue offline token for the users, which are 
valid just for the lifetime of the session?

Marek


More information about the keycloak-dev mailing list