[keycloak-dev] offline access tokens part 2
Marek Posolda
mposolda at redhat.com
Tue Mar 27 02:53:55 EDT 2018
Dne 27.3.2018 v 04:41 Bill Burke napsal(a):
> These are my thoughts for implementing offline access tokens:
>
> * offline access tokens MUST be validated. This means that if they
> are used during bearer token requests, the service must validate the
> token with the token endpoint.
> * These tokens MUST be rejected by older keycloak clients as our
> adapters dont' have support for them.
> * offline access tokens will not be stored in the database. Instead
> they will be JWEs or JWS that link to an offline user session. (our
> current offline access implementation). They will be revokable just
> like any other offline session and in the same manner. This makes the
> implementation simple.
>
> * There will be 4 modes for configuring clients
> - client automatically receives offline access tokens (maybe not
> include a refresh token in this case)
> - client may request an offline access token
> - client requires consent before providing an offline access token
> - client is not allowed to ask for offline access tokens (default)
>
> Any other thoughts on this?
How will client tells that it wants this offline token? Will it be some
special value of scope parameter like "scope=persistent_token" ?
I can imagine that issuing this token will be handled by protocol
mapper? Some protocolMapper implementation, which will change token
expiration to 0 (which means infinity) and change token type to
something like "persistent" ?
Once we have clientScopes in, it will be easily possible to ensure that
this protocolMapper is used just if "persistent_token" scope is used as
protocolMapper will be just configured on "persistent_token" client
scope. However the clientScopes PR will likely need to wait for few
weeks or so...
Marek
>
> Maybe this should be implemented in conjunction with a reference token
> feature too?
>
More information about the keycloak-dev
mailing list