[keycloak-dev] OAuth2 Offline Token Introspection

Stian Thorgersen sthorger at redhat.com
Tue Jun 7 03:17:47 EDT 2016


The token introspection endpoint is for access tokens though, not refresh
tokens and offline tokens. You should introspect an access token retrieved
using the offline token, not the offline token itself.

On 7 June 2016 at 08:35, Marek Posolda <mposolda at redhat.com> wrote:

> Hi,
>
> it seems that oauth2 token introspection specs doesn't have any direct
> support for OIDC offline tokens. However you can possibly create JIRA for
> it. Currently it seems we consider token as valid just if there is "online"
> valid userSession. In case of offlineToken, it should check "offline"
> session instead.
>
> Marek
>
>
> On 06/06/16 19:12, Jorge M. wrote:
>
> Hi,
>
> I'm using the oauth2 token introspection feature in order to validate and
> get info about tokens, however I'm not being able to get info of
> offline_tokens. Is that possible? Or does it make sense?
>
> Thank you,
> JM
>
>
> _______________________________________________
> keycloak-dev mailing listkeycloak-dev at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160607/a4a3629c/attachment.html 


More information about the keycloak-dev mailing list