[keycloak-user] Offline tokens with external IDP

Carlos Feria carlosthe19916 at gmail.com
Wed Feb 14 22:17:11 EST 2018


I'm facing a similar problem like Haim Vana. I need offline access to
External IDP (Google). I meant, I need to read user's inbox in offline mode
(using external token), but the problem is that the token stored on
Keycloak is just access_token and there is no refresh_token and because of
that is not possible to get a new access_token from google without login
again.

I was searching a title about this and I found this message
http://lists.jboss.org/pipermail/keycloak-dev/2015-April/004350.html
where *"Stian
Thorgersen" <stian at redhat.com
<https://lists.jboss.org/mailman/listinfo/keycloak-dev>> explains a title
about the problem.*

*In general, is there a way to have offline access to external IDP? How
would I face this problem? please help me. *

On Mon, Sep 19, 2016 at 5:27 AM, Haim Vana <haimv at perfectomobile.com> wrote:

> Hi,
>
>
>
> I have combined the offline-access and the saml-broker-authentication
> examples in order to create demo for generating offline tokens.
>
>
>
> It works as expected with External IDP however when the user is already
> logged in the offline token is not generated - a regular token is generated
> instead.
>
>
>
> Any idea if it as designed or am I doing something wrong ? if it is by
> design is there any work around to generate the External IDP offline token
> without user logout ?
>
>
>
>
>
> Thanks,
>
> Haim.
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Tuesday, August 16, 2016 12:09 PM
>
> *To:* Haim Vana <haimv at perfectomobile.com>
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Offline tokens with external IDP
>
>
>
>
>
>
>
> On 16 August 2016 at 10:11, Haim Vana <haimv at perfectomobile.com> wrote:
>
> Hi Stian,
>
> Thanks for your answer.
>
>
>
> What I meant to ask is how to create offline token for external IDP, I
> wasn't able to it with REST API (I am able to it if it's not external IDP).
>
> The only way I managed to do it was when adding offline_access to the UI
> login page, so for external IDP – is it the only way ? REST API is not
> supported ?
>
>
>
> Login page is the only way for external IdPs.
>
>
>
>
>
> Assuming it's the only way I thought to create external UI service for the
> user to log in and get his offline token.
>
> What do you think about such solution ? also if the user will be already
> logged in – do you know if the offline token will be created ? or the will
> have to logout and login again…
>
>
>
> Depends on what your script is implemented in it can also start a web
> server on localhost, then popup the browser window to do the login and
> finally it'll get the code and can get the offline token directly itself.
> Take a look at our customer-app-cli example. It doesn't do offline token,
> but would be trivial to change it to do that instead.
>
>
>
>
>
> Thanks,
>
> Haim.
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Tuesday, August 16, 2016 10:52 AM
> *To:* Haim Vana <haimv at perfectomobile.com>
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Offline tokens with external IDP
>
>
>
>
>
>
>
> On 25 July 2016 at 09:01, Haim Vana <haimv at perfectomobile.com> wrote:
>
> Hi,
>
>
>
> We are using KeyCloak for a several weeks now, one of the flows is user
> script authentication with offline token:
>
>
>
> 1.       The user log in to the UI
>
> 2.       Generates offline token by entering his password again
>
> 3.       Put the offline token in his script
>
> 4.       Executes the script
>
>
>
> Now we want to add external IDP support, first is it possible to generate
> offline tokens for extremal IDP in KeyCloak ? if so how ?
>
>
>
> Assuming you're using the Keycloak login screen it's just a matter of
> configuring the external IdP as an identity broker provider and it will be
> displayed as an option on the login screen.
>
>
>
>
>
> Second in section #2 above the user enters his password to generate the
> offline token, with external IDP we can’t use his password, one alternative
> is to always generate the offline token in the login (add offline_access),
> however is it make sense to create offline token for every login ?
>
>
>
> You shouldn't create offline token for every login, just once for a new
> user or once offline token is no longer valid.
>
>
>
>
>
>
>
> Thanks,
>
> Haim.
>
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://emea01.safelinks.protection.outlook.com/?url=https%3a%2f%2flists.jboss.org%2fmailman%2flistinfo%2fkeycloak-user&data=01%7c01%7chaimv%40perfectomobile.com%7c817f2f8f0df74d42b42708d3c5aa2e27%7cceb4c662d6994e7da0bd272619a46977%7c1&sdata=GbfVDcXti4f7DKGMcp6zyqQpsqNksOIuU4EA1sb0TR0%3d>
>
>
>
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
>
>
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Carlos E. Feria Vila


More information about the keycloak-user mailing list