Reference tokens are tokens that must be validated by Keycloak through user info or introspection interfaces. These tokens should have very little information within them. Just enough for the auth server to validate. We also need to make sure their format has information stating that they are reference tokens and which realm they come from. This will be needed for client adapters that want to accept a reference token as a bearer token
IMPORT: I also want these reference tokens to never expire and to be valid for however long the login session lasts. This is important for openshift integration as openshift tokens currently last forever until they are revoked.
I would like to implement these as JWEs that contain the user session and auth session ids and maybe store realm and type information in the JWE header so that client adapters can figure out what type of token they are.
If we implement reference tokens as JWEs and make them valid as long as the user session is valid, we don't have to care about whether the session is offline or not. It should just work.
One last thing we should consider is allowing a configurable cache timeout for reference tokens and that this timeout should be specified within the document returned by the introspection endpoint and the user info endpoint. This gives hints to clients if they want to cache responses from reference token validation. (FYI kub/openshift cache validations).