[keycloak-dev] OAuth2 Offline Token Introspection
Stian Thorgersen
sthorger at redhat.com
Wed Jun 8 00:33:40 EDT 2016
Would you be able to send a PR for the issue? Looks like it should be
relatively simple to add.
I'm curious when you say it's only used for authentication. Authentication
to what? Are you not invoking any external services?
On 7 June 2016 at 14:26, Jorge M. <jm85martins at gmail.com> wrote:
> That sounds good. Should I create a Jira ticket for this one?
>
> By the way... We are planning to use offline tokens on native mobile
> client apps. Basically the apps only use KC for authentication (using
> aerogear oauth2). Do you think that a regular access_token is more suitable
> for this scenario, rather than the offline token?
>
> Thanks,
> JM
>
> 2016-06-07 8:34 GMT+01:00 Stian Thorgersen <sthorger at redhat.com>:
>
>> In that case +1 to support offline tokens.
>>
>> On 7 June 2016 at 09:29, Marek Posolda <mposolda at redhat.com> wrote:
>>
>>> The introspection specs has some support for refresh tokens and our impl
>>> supports it too. You can even provide "token_type_hint" parameter and use
>>> either the value "access_token" or "refresh_token" .
>>>
>>> The offline token is not directly supported, but I am personally not
>>> seeing an issue for us to be a bit more "clever" and lookup offline
>>> sessions instead of online sessions in case that type of provided token is
>>> offline token?
>>>
>>> Marek
>>>
>>>
>>> On 07/06/16 09:17, Stian Thorgersen wrote:
>>>
>>> The token introspection endpoint is for access tokens though, not
>>> refresh tokens and offline tokens. You should introspect an access token
>>> retrieved using the offline token, not the offline token itself.
>>>
>>> On 7 June 2016 at 08:35, Marek Posolda <mposolda at redhat.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> it seems that oauth2 token introspection specs doesn't have any direct
>>>> support for OIDC offline tokens. However you can possibly create JIRA for
>>>> it. Currently it seems we consider token as valid just if there is "online"
>>>> valid userSession. In case of offlineToken, it should check "offline"
>>>> session instead.
>>>>
>>>> Marek
>>>>
>>>>
>>>> On 06/06/16 19:12, Jorge M. wrote:
>>>>
>>>> Hi,
>>>>
>>>> I'm using the oauth2 token introspection feature in order to validate
>>>> and get info about tokens, however I'm not being able to get info of
>>>> offline_tokens. Is that possible? Or does it make sense?
>>>>
>>>> Thank you,
>>>> JM
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing listkeycloak-dev at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160608/97334aac/attachment.html
More information about the keycloak-dev
mailing list