2016-05-27 20:12:07 +00:00
[[_offline-access]]
=== Offline Access
2016-06-06 17:15:23 +00:00
Offline access is a feature described in http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess[OpenID Connect specification] .
The idea is that during login, your client application will request an Offline token instead of a classic Refresh token.
2016-05-27 20:12:07 +00:00
The application can save this offline token in a database or on disk and can use it later even if user is logged out.
2016-06-06 17:15:23 +00:00
This is useful if your application needs to do some "offline" actions on behalf of user even when the user is not online.
An example is a periodic backup of some data every night.
2016-05-27 20:12:07 +00:00
2017-08-28 12:50:14 +00:00
Your application is responsible for persisting the offline token in some storage (usually a database) and then using it to manually retrieve new access token from {project_name} server.
2016-05-27 20:12:07 +00:00
2016-06-06 17:15:23 +00:00
The difference between a classic Refresh token and an Offline token is, that an offline token will never expire and is not subject of `SSO Session Idle timeout` .
2016-05-27 20:12:07 +00:00
The offline token is valid even after a user logout or server restart.
2016-06-10 07:09:43 +00:00
However by default you do need to use the offline token for a refresh token action at least once per 30 days (this value, `Offline Session Idle timeout`, can be changed in the administration console in the `Tokens` tab under `Realm Settings`). Also if you enable the option `Revoke refresh tokens`, then each offline token can be used just once.
2016-06-06 17:15:23 +00:00
So after refresh, you always need to store the new offline token from refresh response into your DB instead of the previous one.
2016-05-27 20:12:07 +00:00
2017-08-28 12:50:14 +00:00
Users can view and revoke offline tokens that have been granted by them in the <<_account-service, User Account Service>>.
2016-06-10 07:06:48 +00:00
The admin user can revoke offline tokens for individual users in admin console in the `Consents` tab of a particular user.
2016-05-27 20:12:07 +00:00
The admin can also view all the offline tokens issued in the `Offline Access` tab of each client.
2017-08-28 12:50:14 +00:00
Offline tokens can also be revoked by setting a <<_revocation-policy, revocation policy>>.
2016-05-27 20:12:07 +00:00
To be able to issue an offline token, users need to have the role mapping for the realm-level role `offline_access`.
2018-06-08 13:39:15 +00:00
Clients also need to have that role in their scope. Finally, the client needs to have an `offline_access` client scope added as an `Optional
client scope` to it, which is done by default.
2016-05-27 20:12:07 +00:00
2017-08-28 12:50:14 +00:00
The client can request an offline token by adding the parameter `scope=offline_access` when sending authorization request to {project_name}.
The {project_name} OIDC client adapter automatically adds this parameter when you use it to access secured URL of your application (i.e.
2016-06-10 06:59:58 +00:00
$$http://localhost:8080/customer-portal/secured?scope=offline_access$$). The Direct Access Grant and Service Accounts also
2016-05-27 20:12:07 +00:00
support offline tokens if you include `scope=offline_access` in the body of the authentication request.
