[keycloak-user] Offline tokens with external IDP

Stian Thorgersen sthorger at redhat.com
Tue Aug 16 05:08:48 EDT 2016


On 16 August 2016 at 10:11, Haim Vana <haimv at perfectomobile.com> wrote:

> Hi Stian,
>
> Thanks for your answer.
>
>
>
> What I meant to ask is how to create offline token for external IDP, I
> wasn't able to it with REST API (I am able to it if it's not external IDP).
>
> The only way I managed to do it was when adding offline_access to the UI
> login page, so for external IDP – is it the only way ? REST API is not
> supported ?
>

Login page is the only way for external IdPs.


>
>
> Assuming it's the only way I thought to create external UI service for the
> user to log in and get his offline token.
>
> What do you think about such solution ? also if the user will be already
> logged in – do you know if the offline token will be created ? or the will
> have to logout and login again…
>

Depends on what your script is implemented in it can also start a web
server on localhost, then popup the browser window to do the login and
finally it'll get the code and can get the offline token directly itself.
Take a look at our customer-app-cli example. It doesn't do offline token,
but would be trivial to change it to do that instead.


>
>
> Thanks,
>
> Haim.
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Tuesday, August 16, 2016 10:52 AM
> *To:* Haim Vana <haimv at perfectomobile.com>
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Offline tokens with external IDP
>
>
>
>
>
>
>
> On 25 July 2016 at 09:01, Haim Vana <haimv at perfectomobile.com> wrote:
>
> Hi,
>
>
>
> We are using KeyCloak for a several weeks now, one of the flows is user
> script authentication with offline token:
>
>
>
> 1.       The user log in to the UI
>
> 2.       Generates offline token by entering his password again
>
> 3.       Put the offline token in his script
>
> 4.       Executes the script
>
>
>
> Now we want to add external IDP support, first is it possible to generate
> offline tokens for extremal IDP in KeyCloak ? if so how ?
>
>
>
> Assuming you're using the Keycloak login screen it's just a matter of
> configuring the external IdP as an identity broker provider and it will be
> displayed as an option on the login screen.
>
>
>
>
>
> Second in section #2 above the user enters his password to generate the
> offline token, with external IDP we can’t use his password, one alternative
> is to always generate the offline token in the login (add offline_access),
> however is it make sense to create offline token for every login ?
>
>
>
> You shouldn't create offline token for every login, just once for a new
> user or once offline token is no longer valid.
>
>
>
>
>
>
>
> Thanks,
>
> Haim.
>
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://emea01.safelinks.protection.outlook.com/?url=https%3a%2f%2flists.jboss.org%2fmailman%2flistinfo%2fkeycloak-user&data=01%7c01%7chaimv%40perfectomobile.com%7c817f2f8f0df74d42b42708d3c5aa2e27%7cceb4c662d6994e7da0bd272619a46977%7c1&sdata=GbfVDcXti4f7DKGMcp6zyqQpsqNksOIuU4EA1sb0TR0%3d>
>
>
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160816/ac967c1f/attachment.html 


More information about the keycloak-user mailing list