[keycloak-user] Client setup recommandation

David Delbecq david_delbecq at trimble.com
Wed Feb 8 07:06:27 EST 2017


In this case this is indeed a webapp that tries to act as much as possible
as a native app, but without the burden of having to build and release for
each mobile device. I will continue to analyze those informations and see
if we can find a way around our issues without an offline token. Thanks for
your explanations.



On Mon, Feb 6, 2017 at 12:15 PM Stian Thorgersen <sthorger at redhat.com>
wrote:

> Offline tokens should really only be used when it's possible to securely
> store the token. Web applications and locale storage are not the most
> secure. I would certainly consider carefully what scope you provide in the
> token to make sure it's not used for sensitive operations.
>
> It also means that users would have to logout separately from the web app.
> It's no longer covered by things like remember me, remote logout, etc..
> You're providing a permanent "login" to a web app, which then a user has to
> know to separately logout.
>
> Devil is in the details though. For some web apps it may make sense, but
> I'd be careful before going down that path.
>
> On 6 February 2017 at 12:01, David Delbecq <david_delbecq at trimble.com>
> wrote:
>
> Could you elaborate on why this is a bad idea? This seems to be dedicated
> to the kind of request if have, getting a refresh token valid for a long
> period, while keeping regular client with shorter refresh token.
>
>
>
> On Fri, Feb 3, 2017 at 9:35 AM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
> > It's all controlled by the session and there are no way to get tokens
> that
> > work for longer. Issuing offline tokens to a web application would be a
> > really bad idea. If you want users to remain authenticated set the idle
> to
> > a higher value. That's it.
> >
> > On 25 January 2017 at 15:09, David Delbecq <david_delbecq at trimble.com>
> > wrote:
> >
> > Hello,
> >
> > we have a javascript web application we are migrating to keycloak. I am
> not
> > sue what are the recommandations on setting up configuration for that
> > client with the following requirement:
> >
> > Once user triggers the "login" and gets keycloak authenticated, we should
> > get a bearer token to use later on REST services.
> > The user should not be requested again to login, unless he logs out. Even
> > if he closes his browser. So we need a way to keep or replace token on a
> > regular basis. Is there some keycloak REST service we can poll on a
> regular
> > basis for this?
> > Sometimes the user goes "off grid" (no network communication) for several
> > hours. How can we ensure we still keep logged in?
> >
> > My first idea was to just increase the SSO timeout and token validity to
> 30
> > days. But it seems like a bad idea from my reading of keycloak
> > documentation. So i tried to use an offline token instead, but it seems
> the
> > implicit flow doesn't allow you to get an offline token. All token i get
> > after login are marked as expiring within 15 minutes.
> >
> > What's the recommended way to get long lived refresh token, using
> implicit
> > flow?
> >
> > --
> > <http://www.trimble.com/>
> >
> >
> > David Delbecq
> > Software engineer, Transport & Logistics
> > Geldenaaksebaan 329, 1st floor | 3001 Leuven
> >
> > +32 16 391 121 <+32%2016%20391%20121> Direct
> > david.delbecq at trimbletl.com
> > <http://www.trimbletl.com/>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> > --
> <http://www.trimble.com/>
> David Delbecq
> Software engineer, Transport & Logistics
> Geldenaaksebaan 329, 1st floor | 3001 Leuven
> +32 16 391 121 <+32%2016%20391%20121> Direct
> david.delbecq at trimbletl.com
> <http://www.trimbletl.com/>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> --
<http://www.trimble.com/>
David Delbecq
Software engineer, Transport & Logistics
Geldenaaksebaan 329, 1st floor | 3001 Leuven
+32 16 391 121 <+32%2016%20391%20121> Direct
david.delbecq at trimbletl.com
<http://www.trimbletl.com/>


More information about the keycloak-user mailing list