[keycloak-user] Client setup recommandation
Stian Thorgersen
sthorger at redhat.com
Mon Feb 6 06:15:05 EST 2017
Offline tokens should really only be used when it's possible to securely
store the token. Web applications and locale storage are not the most
secure. I would certainly consider carefully what scope you provide in the
token to make sure it's not used for sensitive operations.
It also means that users would have to logout separately from the web app.
It's no longer covered by things like remember me, remote logout, etc..
You're providing a permanent "login" to a web app, which then a user has to
know to separately logout.
Devil is in the details though. For some web apps it may make sense, but
I'd be careful before going down that path.
On 6 February 2017 at 12:01, David Delbecq <david_delbecq at trimble.com>
wrote:
> Could you elaborate on why this is a bad idea? This seems to be dedicated
> to the kind of request if have, getting a refresh token valid for a long
> period, while keeping regular client with shorter refresh token.
>
>
>
> On Fri, Feb 3, 2017 at 9:35 AM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
> > It's all controlled by the session and there are no way to get tokens
> that
> > work for longer. Issuing offline tokens to a web application would be a
> > really bad idea. If you want users to remain authenticated set the idle
> to
> > a higher value. That's it.
> >
> > On 25 January 2017 at 15:09, David Delbecq <david_delbecq at trimble.com>
> > wrote:
> >
> > Hello,
> >
> > we have a javascript web application we are migrating to keycloak. I am
> not
> > sue what are the recommandations on setting up configuration for that
> > client with the following requirement:
> >
> > Once user triggers the "login" and gets keycloak authenticated, we should
> > get a bearer token to use later on REST services.
> > The user should not be requested again to login, unless he logs out. Even
> > if he closes his browser. So we need a way to keep or replace token on a
> > regular basis. Is there some keycloak REST service we can poll on a
> regular
> > basis for this?
> > Sometimes the user goes "off grid" (no network communication) for several
> > hours. How can we ensure we still keep logged in?
> >
> > My first idea was to just increase the SSO timeout and token validity to
> 30
> > days. But it seems like a bad idea from my reading of keycloak
> > documentation. So i tried to use an offline token instead, but it seems
> the
> > implicit flow doesn't allow you to get an offline token. All token i get
> > after login are marked as expiring within 15 minutes.
> >
> > What's the recommended way to get long lived refresh token, using
> implicit
> > flow?
> >
> > --
> > <http://www.trimble.com/>
> >
> >
> > David Delbecq
> > Software engineer, Transport & Logistics
> > Geldenaaksebaan 329, 1st floor | 3001 Leuven
> >
> > +32 16 391 121 <+32%2016%20391%20121> Direct
> > david.delbecq at trimbletl.com
> > <http://www.trimbletl.com/>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> > --
> <http://www.trimble.com/>
> David Delbecq
> Software engineer, Transport & Logistics
> Geldenaaksebaan 329, 1st floor | 3001 Leuven
> +32 16 391 121 <+32%2016%20391%20121> Direct
> david.delbecq at trimbletl.com
> <http://www.trimbletl.com/>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list