[keycloak-user] Generate offline token
Stian Thorgersen
sthorger at redhat.com
Mon Nov 2 06:06:13 EST 2015
I would create a client for each customer. Enable the service account
feature to map roles to the client. Then customers can authenticate either
with a secret or signed jwt (public/private key). They can then use the
client credentials grant to obtain tokens.
On 30 Oct 2015 15:37, "Pål Orby" <orby at sendregning.no> wrote:
> Saw your session at JavaZone, so thought we could give KC a try :-)
>
> Our web application is split on two; frontend (HTML5/Javascript) and our
> backend (REST lv. 3 developed in Java, currently running inside Tomcat).
>
> Our frontend is just a consumer of our backend API (just like any other
> client), and I've successfully configured KC to use openid-connect/public
> for our frontend with keycloak.js, and openid-connect/bearer-only for our
> backend (API) in our test environment (sending the Authorization header
> with Bearer and keycloak.token to backend when doing ajax requests). This
> work like expected. Even written our own federation doing password
> validation from our user database.
>
> But, a lot of our customers have integrated their application to our
> backend API, doing REST calls for issuing invoices, etc...)
>
> Most other services that provides you with an API offers tokens that can
> be used for identification and authentication. And as far as I can see,
> this is offline tokens in KC.
>
> So we want to have our users log in to our service with their browser, go
> to our "API key page" and create a new token to be used by the integrations
> (moving away from Basic auth).
>
> I've created an offline token by hitting a keycloak protected html file
> and requested a resource with parameter ?scope=offline_access. I do see KC
> gives me a value back:
>
> http://localhost/keycloak.html?scope=offline_access&code=HU5UkZ_EbNUjX3Vhmg-3EIhC6Abz5rwhNMy_cuPzpLA.bfa6846d-b8f2-46da-b923-6a2824c82dd6&state=f2c410f3-37dd-4b5b-b933-1aacce916846
>
> But there is no way I can use this for anything (and in KC it seems to be
> bound to our frontend application).
>
> Why can't I use the admin rest api to say something like: give me an
> offline token for this user for this app?
>
> /Pål
>
> 2015-10-30 15:06 GMT+01:00 Stian Thorgersen <sthorger at redhat.com>:
>
>> Heisann,
>>
>> Nice to see fellow Norwegians are using Keycloak :)
>>
>> For offline tokens the idea is that you'd have a frontend app (server or
>> client, whichever floats your boat) that can bootstrap the offline token.
>>
>> Not sure offline tokens is quite what you need though - can you elaborate
>> a bit on your use case?
>>
>> On 30 October 2015 at 13:51, Pål Orby <orby at sendregning.no> wrote:
>>
>>> We have two clients registered in our realm; frontend and backend.
>>> Frontend is defined openid-connect/public (HTML/Javascript app) and backend
>>> is openid-connect/bearer-only.
>>>
>>> How can we generate an offline token for a given user that can be used
>>> towards our backend (which is bearer only)?
>>>
>>> We have a lot of customers that is integrated to our API (which is our
>>> backend client).
>>>
>>> *Pål Orby*
>>> UNIT4 Agresso AS
>>> DevOps
>>> Tlf: 22 58 85 00
>>> Mobil: 900 91 705
>>>
>>> SendRegning - Gjør det enkelt!
>>> http://www.sendregning.no
>>> http://facebook.com/sendregning
>>> http://twitter.com/sendregning
>>> http://faktura.no
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151102/0ff382a6/attachment.html
More information about the keycloak-user
mailing list