8000
Apr 20, 2024
·
1 comments
·
1 reply
Comment options
You must be logged in to vote
Comment options
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji
reacted with thumbs down emoji
reacted with laugh emoji
reacted with hooray emoji
reacted with confused emoji
reacted with heart emoji
reacted with rocket emoji
reacted with eyes emoji
Replies: 1 comment 1 reply
-
|
I suggest performing an internal token to internal token exchange ( #26502 ):
Check if this demo fits the bill. |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Thanks for the tip! |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Suppose I have a web application that uses a client called 'web'. The web application can successfully authenticate the users and they can interact with the web app. Great.
Now suppose this overall application has has some functionality that allows other smart devices to make API calls. I'd like to give these devices an offline session token.
Presumably, it's best-practice to create a different client in keycloak for these devices to operate under. This lets you limit the scopes that can be requested and the token/session timeouts can be configured differently, etc.
So, these smart devices have an 3rd party mobile app of their own that perform a web flow for obtaining the offline session/refresh token. If I have the mobile app authenticate with the web application above, then it's authenticating with the 'web' client and not the 'device' client.
So my question is if there is a way of requesting keycloak to create an offline session for the 'device' client even though the web client making this request only has an id/access token for the 'web' client.
Basic Picture:
smart app mobile app -> browser to example.com -> user authenticates with the 'web' client -> api call to get offline token for 'device' client -> return this offline token to the smart appI realize there's probably a better way of doing this flow, but I'm limited by the 3rdparty app.
So, if possible, what API call can create an offline token, and what special configuration between the two clients might be necessary?
I looked at the REST docs, but I'm gussing that is only administration operations. Is there other documentation I could consult?
Alternative to all these is to set up an entirely new web application (using a sub-domain or a different root path) that uses keycloak with a different client id, but that seems overkill.
TIA
Beta Was this translation helpful? Give feedback.
All reactions