Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-7002

Reference tokens

    XMLWordPrintable

Details

    • Feature Request
    • Status: Closed
    • Major
    • Resolution: Done
    • None
    • None
    • None

    Description

      Reference tokens are tokens that must be validated by Keycloak through user info or introspection interfaces. These tokens should have very little information within them. Just enough for the auth server to validate. We also need to make sure their format has information stating that they are reference tokens and which realm they come from. This will be needed for client adapters that want to accept a reference token as a bearer token

      IMPORT: I also want these reference tokens to never expire and to be valid for however long the login session lasts. This is important for openshift integration as openshift tokens currently last forever until they are revoked.

      I would like to implement these as JWEs that contain the user session and auth session ids and maybe store realm and type information in the JWE header so that client adapters can figure out what type of token they are.

      If we implement reference tokens as JWEs and make them valid as long as the user session is valid, we don't have to care about whether the session is offline or not. It should just work.

      One last thing we should consider is allowing a configurable cache timeout for reference tokens and that this timeout should be specified within the document returned by the introspection endpoint and the user info endpoint. This gives hints to clients if they want to cache responses from reference token validation. (FYI kub/openshift cache validations).

      Attachments

        Issue Links

          duplicates

          Feature Request - Feature requests from customers and/or users KEYCLOAK-8278 Reference tokens (non-opaque tokens)

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Triage
          is duplicated by

          Feature Request - Feature requests from customers and/or users KEYCLOAK-1719 Reference Tokens

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is related to

          Feature Request - Feature requests from customers and/or users KEYCLOAK-7635 Authenticate clients with x509 certificate

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Task - A task that needs to be done. KEYCLOAK-6226 Allow Replacing OpenShift OAuth Server

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              sthorger@redhat.com Stian Thorgersen
              patriot1burke@gmail.com Bill Burke (Inactive)
              Votes:
              5 Vote for this issue
              Watchers:
              14 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: