[keycloak-user] Recommendations for protecting REST service with bearer token and basic auth
stian at redhat.com
Wed Nov 19 11:16:46 EST 2014
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-user at lists.jboss.org
> Sent: Wednesday, 19 November, 2014 4:01:36 PM
> Subject: Re: [keycloak-user] Recommendations for protecting REST service with bearer token and basic auth
> On 11/19/2014 8:30 AM, Juraci Paixão Kröhling wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> > On 11/19/2014 01:01 PM, Stian Thorgersen wrote:
> >> One exception though is that in this case you probably want an
> >> offline token, which is something we don't support yet. Basically
> >> an offline token would be a token that's not associated with a
> >> specific user session, which would have a longer (possibly
> >> unlimited) lifetime. The user would also need to be able to view
> >> and revoke these tokens through the account management.
> > That's exactly what I mean :-) Is there a plan for this feature
> > already? If not, and if it's a desirable feature to have, I might be
> > able to scratch a possible solution for it.
> You guys are basically describing certificate auth.
Yes for the one use-case I described (where the app is the user). There's also the case where a user gives an application permanent (offline) access to their account. In Google they have a special scope you can request for this (https://developers.google.com/accounts/docs/OAuth2WebServer#offline).
> Bill Burke
> JBoss, a division of Red Hat
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
More information about the keycloak-user