[keycloak-user] Generate offline token

Bill Burke bburke at redhat.com
Fri Oct 30 10:41:17 EDT 2015

You can obtain tokens from a non-browser client.  We have two types:

session-based tokens:  These are associated with an in-memory(cluster 
aware) session and have a short expiration (minutes), but can be 
refreshed with a refresh token.  These sessions can be closed 
automatically if they are idle too long

offline tokens:  They are persisted and have much longer expiration 
times.  They do have timeouts, but these times are generally much longer.

On 10/30/2015 10:36 AM, Pål Orby wrote:
> Saw your session at JavaZone, so thought we could give KC a try :-)
> Our web application is split on two; frontend (HTML5/Javascript) and our
> backend (REST lv. 3 developed in Java, currently running inside Tomcat).
> Our frontend is just a consumer of our backend API (just like any other
> client), and I've successfully configured KC to use
> openid-connect/public for our frontend with keycloak.js, and
> openid-connect/bearer-only for our backend (API) in our test environment
> (sending the Authorization header with Bearer and keycloak.token to
> backend when doing ajax requests). This work like expected. Even written
> our own federation doing password validation from our user database.
> But, a lot of our customers have integrated their application to our
> backend API, doing REST calls for issuing invoices, etc...)
> Most other services that provides you with an API offers tokens that can
> be used for identification and authentication. And as far as I can see,
> this is offline tokens in KC.
> So we want to have our users log in to our service with their browser,
> go to our "API key page" and create a new token to be used by the
> integrations (moving away from Basic auth).
> I've created an offline token by hitting a keycloak protected html file
> and requested a resource with parameter ?scope=offline_access. I do see
> KC gives me a value back:
> http://localhost/keycloak.html?scope=offline_access&code=HU5UkZ_EbNUjX3Vhmg-3EIhC6Abz5rwhNMy_cuPzpLA.bfa6846d-b8f2-46da-b923-6a2824c82dd6&state=f2c410f3-37dd-4b5b-b933-1aacce916846
> But there is no way I can use this for anything (and in KC it seems to
> be bound to our frontend application).
> Why can't I use the admin rest api to say something like: give me an
> offline token for this user for this app?
> /Pål
> 2015-10-30 15:06 GMT+01:00 Stian Thorgersen <sthorger at redhat.com
> <mailto:sthorger at redhat.com>>:
>     Heisann,
>     Nice to see fellow Norwegians are using Keycloak :)
>     For offline tokens the idea is that you'd have a frontend app
>     (server or client, whichever floats your boat) that can bootstrap
>     the offline token.
>     Not sure offline tokens is quite what you need though - can you
>     elaborate a bit on your use case?
>     On 30 October 2015 at 13:51, Pål Orby <orby at sendregning.no
>     <mailto:orby at sendregning.no>> wrote:
>         We have two clients registered in our realm; frontend and
>         backend. Frontend is defined openid-connect/public
>         (HTML/Javascript app) and backend is openid-connect/bearer-only.
>         How can we generate an offline token for a given user that can
>         be used towards our backend (which is bearer only)?
>         We have a lot of customers that is integrated to our API (which
>         is our backend client).
>         *Pål Orby*
>         UNIT4 Agresso AS*
>         *DevOps
>         Tlf: 22 58 85 00
>         Mobil: 900 91 705
>         SendRegning - Gjør det enkelt!
>         http://www.sendregning.no
>         http://facebook.com/sendregning
>         http://twitter.com/sendregning
>         http://faktura.no
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-user mailing list