[keycloak-user] Refresh token - should it expire?
Juraci Paixão Kröhling
juraci at kroehling.de
Tue Jun 23 07:50:31 EDT 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello,
I'm building a secret store application that will sit in front of
Hawkular and will be responsible for replacing API keys into actual
Keycloak authentication data.
Based on the suggestions from Stian, the current code does the following
:
- - User logs in Hawkular via Keycloak
- - Once the user wants to create a new application key/secret, the user
is redirected to /secret-store/tokens/create , which takes the KC
authentication data and stores the refresh_token into the database,
creating a new key/secret
- - User configures an external application (like a monitoring agent in
a server), adding this key/secret to its configuration
- - The agent makes a call to the Hawkular backend, sending this key/secre
t
- - An undertow filter gets this key/secret from the request, fetches
the refresh_token from the database, gets a bearer token from Keycloak
based on this refresh_token and sets it to the request's context (ie:
replacing the Authorization header)
- - Keycloak uses this bearer token to perform what it needs to do
- - Request reaches the Hawkular backend
It all works, but the session from the *user* (second step) eventually
expires, causing the refresh_token to be invalid[1].
So, the question is whether this token is indeed supposed to be
attached to an user session, or if it's a bug. If the behavior I'm
seeing is the correct one, what could be a proper way to store a token
so that it can be replaced at a later time?
1 - http://git.io/vLAtF
Best,
Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJViUgHAAoJEDnJtskdmzLMCIsH/iOeGmCDANgjvliyeKMWcx0/
j0cFdJuENBqzgPRlj0tSSJeFZeNnIs07ARJk2E0Xoq1D2gSq3KAw3hTOq7nPNfOk
SoG5f1dLDkwCB8a+d/IGNfPw6Tmbzn0i2kwRSbhSJdfYCDxg9xiMPnV2MjvunPYa
f6sXHz0yZjwylis3UuBw7WUNr1wAYOpjfmdBmt0B6hEqBXbIZflX2OEhim7dC+PQ
WBx4lobqWWR+pMF12oabngNPLoE1r8SGSJkkiusMZxaTIWOViiHIYkRzVcul32z7
1OI0EOHnnv4YJ1rzc9frAIu7EPZq0i4BM1YT9pRBlNFBWH/ZQawEyCN6KCrNHDI=
=EA+F
-----END PGP SIGNATURE-----
More information about the keycloak-user
mailing list