[keycloak-user] Understanding Offline Tokens

Marek Posolda mposolda at redhat.com
Fri Jun 2 11:14:04 EDT 2017


On 01/06/17 18:09, Mike Hills wrote:
> Hi All,
>
> I need to implement offline tokens (
> https://keycloak.gitbooks.io/documentation/content/server_admin/topics/sessions/offline.html)
> for a number of our REST services.
>
> I followed the instructions provided and it seems to work well. I do have a
> couple of questions to confirm my approach please.
>
>
>     1. The generated offline refresh token is used to return a valid token
>     using the grant_type of refresh_token. Does this mean that the
>     refresh_token call must be made each time (assuming previous token has
>     timed out)?
Yes. Access token timeout is supposed to be short (1-5 mins or so), so 
once it is expired, you may need to use offline token for refresh 
request and retrieve new access token.
>     2. Is it best practice to hand out the same token for each client that
>     needs to authenticate against the service or create a new client for each
>     client service?
There are 2 main types of applications:
1. Frontend clients: Those are applications, which are authenticated 
against Keycloak and they are retrieve any tokens dedicated to them
2. REST clients: Those are usually bearer-only clients, which doesn't 
authenticate directly against Keycloak. They just wait once some other 
service of type of type 1 send them the access token.

The best is that you have dedicated client (and tokens) for every client 
of type 1. Then you use the token to call the backend REST services of 
type 2 from this client. If client wants to access 5 different REST 
services, you still use same token to authenticate against them. You may 
just need scope roles to be available in the token, so that REST service 
can access them.

For more details, see our documentation and examples.

Marek
>
>
> Any help is appreciated,
>
> Regards,
> mike
>
>



More information about the keycloak-user mailing list