[keycloak-user] Quick clarification about Offline tokens
Marek Posolda
mposolda at redhat.com
Mon Feb 15 03:18:57 EST 2016
On 12/02/16 18:10, robinfernandes . wrote:
> Hi Everyone,
>
> So the scenario that I am trying to understand is as follows:
>
> 1. I get an offline token and I try to refresh my token pair
> (access,refresh) using this offline token.
> 2. Will I get a new offline token? Or will Keycloak see that you
> passed in an offline token so it will return the same offline token back?
>
> The tests that I performed I saw it returning a new offline token each
> time. Is that a correct understanding?
Yes, it works this way. However if you have some DAO on your application
side, you don't need to save new offline token every time. You can still
use the old offline token for refreshing and it will work. There is no
any expiration on offline token itself, there is just expiration on
keycloak-server side, which is updated during each token refresh (In
other words, as long as you refresh at least once every 30 days, you can
use same offline token for a years).
The only exception of this is, if you have "Revoke refresh token" switch
enabled for your realm. Then each offline token can be used just once,
so you need to always use newest offline token.
Marek
> Is there any parameter I can pass to the token refresh call so that it
> gives me the same offline token back?
>
> Thanks,
> Robin
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160215/dfc4e013/attachment.html
More information about the keycloak-user
mailing list