[keycloak-dev] offline access tokens part 2

Bill Burke bburke at redhat.com
Tue Apr 3 11:02:50 EDT 2018


On Tue, Apr 3, 2018 at 10:20 AM, Schuster Sebastian (INST/ESY1)
<Sebastian.Schuster at bosch-si.com> wrote:
> I really like 3) because this might be a way of getting around having to do token signing externally in an HSM, depending on company regulations.
>
> Btw. how about allowing to override token lifetimes also based on the involved roles/scopes? Lifetimes are essentially a security/efficiency tradeoff and for critical roles, I would really like to tune that tradeoff towards security.
> That would probably be something in the line of creating a token with the minimum lifetime configured by realm/client/role....
>

So, each role, scope, protocol mapper could specify a token timeout?
The token issuer logic would just pick the smallest timeout based on
the roles, scopes, protocol mappers used to build the token?
All this would be a compeltely separate feature/PR/Jira.

Work should be broken up into:
* offline access token timeout for realm
* reference tokens
* per client timeouts
* per role, scope, protocol mapper timeouts.




-- 
Bill Burke
Red Hat


More information about the keycloak-dev mailing list