[keycloak-user] Generate offline token

Pål Orby orby at sendregning.no
Fri Oct 30 10:36:45 EDT 2015

Saw your session at JavaZone, so thought we could give KC a try :-)

Our web application is split on two; frontend (HTML5/Javascript) and our
backend (REST lv. 3 developed in Java, currently running inside Tomcat).

Our frontend is just a consumer of our backend API (just like any other
client), and I've successfully configured KC to use openid-connect/public
for our frontend with keycloak.js, and openid-connect/bearer-only for our
backend (API) in our test environment (sending the Authorization header
with Bearer and keycloak.token to backend when doing ajax requests). This
work like expected. Even written our own federation doing password
validation from our user database.

But, a lot of our customers have integrated their application to our
backend API, doing REST calls for issuing invoices, etc...)

Most other services that provides you with an API offers tokens that can be
used for identification and authentication. And as far as I can see, this
is offline tokens in KC.

So we want to have our users log in to our service with their browser, go
to our "API key page" and create a new token to be used by the integrations
(moving away from Basic auth).

I've created an offline token by hitting a keycloak protected html file and
requested a resource with parameter ?scope=offline_access. I do see KC
gives me a value back:

But there is no way I can use this for anything (and in KC it seems to be
bound to our frontend application).

Why can't I use the admin rest api to say something like: give me an
offline token for this user for this app?


2015-10-30 15:06 GMT+01:00 Stian Thorgersen <sthorger at redhat.com>:

> Heisann,
> Nice to see fellow Norwegians are using Keycloak :)
> For offline tokens the idea is that you'd have a frontend app (server or
> client, whichever floats your boat) that can bootstrap the offline token.
> Not sure offline tokens is quite what you need though - can you elaborate
> a bit on your use case?
> On 30 October 2015 at 13:51, Pål Orby <orby at sendregning.no> wrote:
>> We have two clients registered in our realm; frontend and backend.
>> Frontend is defined openid-connect/public (HTML/Javascript app) and backend
>> is openid-connect/bearer-only.
>> How can we generate an offline token for a given user that can be used
>> towards our backend (which is bearer only)?
>> We have a lot of customers that is integrated to our API (which is our
>> backend client).
>> *Pål Orby*
>> UNIT4 Agresso AS
>> DevOps
>> Tlf: 22 58 85 00
>> Mobil: 900 91 705
>> SendRegning - Gjør det enkelt!
>> http://www.sendregning.no
>> http://facebook.com/sendregning
>> http://twitter.com/sendregning
>> http://faktura.no
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151030/b45e1913/attachment-0001.html 

More information about the keycloak-user mailing list