[keycloak-user] Generate offline token
bburke at redhat.com
Fri Oct 30 10:41:17 EDT 2015
You can obtain tokens from a non-browser client. We have two types:
session-based tokens: These are associated with an in-memory(cluster
aware) session and have a short expiration (minutes), but can be
refreshed with a refresh token. These sessions can be closed
automatically if they are idle too long
offline tokens: They are persisted and have much longer expiration
times. They do have timeouts, but these times are generally much longer.
On 10/30/2015 10:36 AM, Pål Orby wrote:
> Saw your session at JavaZone, so thought we could give KC a try :-)
> backend (REST lv. 3 developed in Java, currently running inside Tomcat).
> Our frontend is just a consumer of our backend API (just like any other
> client), and I've successfully configured KC to use
> openid-connect/public for our frontend with keycloak.js, and
> openid-connect/bearer-only for our backend (API) in our test environment
> (sending the Authorization header with Bearer and keycloak.token to
> backend when doing ajax requests). This work like expected. Even written
> our own federation doing password validation from our user database.
> But, a lot of our customers have integrated their application to our
> backend API, doing REST calls for issuing invoices, etc...)
> Most other services that provides you with an API offers tokens that can
> be used for identification and authentication. And as far as I can see,
> this is offline tokens in KC.
> So we want to have our users log in to our service with their browser,
> go to our "API key page" and create a new token to be used by the
> integrations (moving away from Basic auth).
> I've created an offline token by hitting a keycloak protected html file
> and requested a resource with parameter ?scope=offline_access. I do see
> KC gives me a value back:
> But there is no way I can use this for anything (and in KC it seems to
> be bound to our frontend application).
> Why can't I use the admin rest api to say something like: give me an
> offline token for this user for this app?
> 2015-10-30 15:06 GMT+01:00 Stian Thorgersen <sthorger at redhat.com
> <mailto:sthorger at redhat.com>>:
> Nice to see fellow Norwegians are using Keycloak :)
> For offline tokens the idea is that you'd have a frontend app
> (server or client, whichever floats your boat) that can bootstrap
> the offline token.
> Not sure offline tokens is quite what you need though - can you
> elaborate a bit on your use case?
> On 30 October 2015 at 13:51, Pål Orby <orby at sendregning.no
> <mailto:orby at sendregning.no>> wrote:
> We have two clients registered in our realm; frontend and
> backend. Frontend is defined openid-connect/public
> How can we generate an offline token for a given user that can
> be used towards our backend (which is bearer only)?
> We have a lot of customers that is integrated to our API (which
> is our backend client).
> *Pål Orby*
> UNIT4 Agresso AS*
> Tlf: 22 58 85 00
> Mobil: 900 91 705
> SendRegning - Gjør det enkelt!
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
JBoss, a division of Red Hat
More information about the keycloak-user