[keycloak-dev] we do not support offline tokens
Bill Burke
bburke at redhat.com
Wed Mar 14 10:21:22 EDT 2018
On Wed, Mar 14, 2018 at 8:51 AM, Stian Thorgersen <sthorger at redhat.com> wrote:
> An offline token would just be an access token with a long expiration time
> right?
>
> Isn't that a bit tricky from a security perspective and also from the fact
> that you can't really invalidate the token? So all services would need to
> check the token with the token introspection endpoint.
>
> Could we fill the same use-case with some sort of reference token instead? A
> short UUID that can be exchanged for a token using the token exchange
> service perhaps?
>
What you're saying is current offline access + new reference token
would be functionally equivalent? I don't think so. With
kub/openshift/social providers, you issue and revoke specific
persistent access tokens through an admin UI/CLI, user service UI/CLI,
or REST interface. Clients that obtain these tokens just use them to
invoke and don't have to refresh them. Services that receive these as
bearer tokens, though, are required to invoke on a validation endpoint
as they are usually opaque.
--
Bill Burke
Red Hat
More information about the keycloak-dev
mailing list