[keycloak-dev] OAuth2 Offline Token Introspection

Marek Posolda mposolda at redhat.com
Tue Jun 7 12:44:55 EDT 2016


On 07/06/16 14:26, Jorge M. wrote:
> That sounds good. Should I create a Jira ticket for this one?
Yes
>
> By the way... We are planning to use offline tokens on native mobile 
> client apps. Basically the apps only use KC for authentication (using 
> aerogear oauth2). Do you think that a regular access_token is more 
> suitable for this scenario, rather than the offline token?
Depends on the use-case. Access token is always valid just for few 
minutes and can be used to invoke 3rd party REST services. When offline 
token is just special type of refresh token. It can be used just for 
refreshing and retrieve new accessTokens, but it can't be used to invoke 
3rd party REST services. Only difference between offline token and 
refresh token is, that offline token is long-lived and valid for days or 
weeks. So once you authenticate to Keycloak and you have offlineToken, 
you can use this offlineToken after a very long time to "refresh" and 
retrieve new accessToken and then use this retrieved accessToken to 
invoke 3rd party REST endpoints.

Marek
>
> Thanks,
> JM
>
> 2016-06-07 8:34 GMT+01:00 Stian Thorgersen <sthorger at redhat.com 
> <mailto:sthorger at redhat.com>>:
>
>     In that case +1 to support offline tokens.
>
>     On 7 June 2016 at 09:29, Marek Posolda <mposolda at redhat.com
>     <mailto:mposolda at redhat.com>> wrote:
>
>         The introspection specs has some support for refresh tokens
>         and our impl supports it too. You can even provide
>         "token_type_hint" parameter and use either the value
>         "access_token" or "refresh_token" .
>
>         The offline token is not directly supported, but I am
>         personally not seeing an issue for us to be a bit more
>         "clever" and lookup offline sessions instead of online
>         sessions in case that type of provided token is offline token?
>
>         Marek
>
>
>         On 07/06/16 09:17, Stian Thorgersen wrote:
>>         The token introspection endpoint is for access tokens though,
>>         not refresh tokens and offline tokens. You should introspect
>>         an access token retrieved using the offline token, not the
>>         offline token itself.
>>
>>         On 7 June 2016 at 08:35, Marek Posolda <mposolda at redhat.com
>>         <mailto:mposolda at redhat.com>> wrote:
>>
>>             Hi,
>>
>>             it seems that oauth2 token introspection specs doesn't
>>             have any direct support for OIDC offline tokens. However
>>             you can possibly create JIRA for it. Currently it seems
>>             we consider token as valid just if there is "online"
>>             valid userSession. In case of offlineToken, it should
>>             check "offline" session instead.
>>
>>             Marek
>>
>>
>>             On 06/06/16 19:12, Jorge M. wrote:
>>>             Hi,
>>>
>>>             I'm using the oauth2 token introspection feature in
>>>             order to validate and get info about tokens, however I'm
>>>             not being able to get info of offline_tokens. Is that
>>>             possible? Or does it make sense?
>>>
>>>             Thank you,
>>>             JM
>>>
>>>
>>>             _______________________________________________
>>>             keycloak-dev mailing list
>>>             keycloak-dev at lists.jboss.org
>>>             <mailto:keycloak-dev at lists.jboss.org>
>>>             https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>>             _______________________________________________
>>             keycloak-dev mailing list
>>             keycloak-dev at lists.jboss.org
>>             <mailto:keycloak-dev at lists.jboss.org>
>>             https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160607/fef27253/attachment-0001.html 


More information about the keycloak-dev mailing list