Details
-
Task
-
Resolution: Done
-
Major
-
None
-
None
Description
Started in this thread:
http://lists.jboss.org/pipermail/keycloak-dev/2015-May/004556.html
Followed up on IRC:
<stianst> jpkroehling: actually I just thought of a way you can solve you're issues <jpkroehling> I' <jpkroehling> I'm not an issue :( <stianst> jpkroehling: you can provide a mechanism in hawkular console to generate a token for an agent <stianst> jpkroehling: lol, that's second time I've done that ;) <stianst> jpkroehling: we want to add support for offline tokens in the future, and they are active until a user or admin revokes them <stianst> jpkroehling: basically in hawkular you'd have a "register agent" option, that would generate a refresh token that you then copy/paste to the agent <jpkroehling> stianst, would this token need to be refreshed? <jpkroehling> stianst, I think there's a setting in the realm that would allow tokens not to expire, right ? <jpkroehling> btw, this offline token is exactly what we need <jpkroehling> if you have a definition already on how that would work, I can help implement it <stianst> jpkroehling: agents should get a access token using this refresh token before invoking your rest services <stianst> jpkroehling: you could also have hawkular manage the refresh tokens on behalf of the agents <stianst> jpkroehling: and just give the agent a reference to the token <stianst> jpkroehling: does that make sense? if not I can explain in hangout * jkremser (~jkremser@redhat/jboss/jkremser) has joined #keycloak <jpkroehling> stianst, it makes sense <jpkroehling> stianst, so, an user would get a refresh token from hawkular console, would enter this into a configuration file on the agent side, our agent would get this and send as a token, a broker on our backend would swap this refresh with an access token and perform the request <jpkroehling> so, as far as the agent is concerned, this refresh token is a "permanent token"/"offline token" <stianst> jpkroehling: not quite <stianst> jpkroehling: hawkular console would get the refresh token and store it in a db - it would then display a reference to the token (uuid or somethin') to the user and the user would copy/paste the reference to the agent <jpkroehling> got it <jpkroehling> makes sense <stianst> jpkroehling: hawkular (or a proxy) would be reponsible for refreshing the access token, and swapping the reference with the actual token <stianst> jpkroehling: no json parsing, token refreshing, token verification or anything like that in agents <jpkroehling> I like this idea <jpkroehling> then, we'd need to pre-process this before the Keycloak auth kicks in <jpkroehling> and put a "bearer token" into the incoming request, so that the remaining of the auth is done by KC <stianst> jpkroehling: yep, you need to store the refresh token for an agent in a db (or another persistent store) and probably just keep access tokens in-mem. <stianst> jpkroehling: this could be done by a filter or a proxy in front of hawkular services <jpkroehling> stianst, I'll try that out <jpkroehling> stianst, thanks!