[keycloak-user] Offline Tokens Become Useless When SSO Session Max is Reached - 2.0
Heide, Marc
heide at 365farmnet.com
Tue May 2 10:05:18 EDT 2017
Well ok, obviously I have not searched deep enough, there is already a Jira for this:
https://issues.jboss.org/browse/KEYCLOAK-4521
br
Marc
Am 02.05.17, 14:43 schrieb "keycloak-user-bounces at lists.jboss.org im Auftrag von Heide, Marc" <keycloak-user-bounces at lists.jboss.org im Auftrag von heide at 365farmnet.com>:
Hi,
We try to use Keycloak with offline tokens for end users, but in contradiction to
https://lists.jboss.org/pipermail/keycloak-user/2017-January/009096.html
where the Admin API is requested, we try to access the UserInfo enpoint.
As soon as the user session died, which has created the offline token, the UserInfo endpoint returns a 401 with:
{
"error": "invalid_request",
"error_description": "User session not found"
}
By looking at
https://issues.jboss.org/browse/KEYCLOAK-4201 and
https://issues.jboss.org/browse/KEYCLOAK-4371
and without really knowing the internals, but could it be the same problem here in the UserInfoEndpoint class line 142 ?
It obviously does not consider offline sessions at all. Is that a wanted behavior?
According to the OIDC spec the UserInfo endpoint should be usable with a valid offline access token even if the user session has been ended.
(http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess)
Best Regards
Marc
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list