Merge remote-tracking branch 'upstream/master'

broker/saml/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java

@@ -250,6 +250,7 @@ public class SAMLEndpoint {
             builder.relayState(relayState);
             if (config.isWantAuthnRequestsSigned()) {
                 builder.signWith(realm.getPrivateKey(), realm.getPublicKey(), realm.getCertificate())
+                        .signatureAlgorithm(provider.getSignatureAlgorithm())
                         .signDocument();
             }
             try {

broker/saml/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java

@@ -36,6 +36,7 @@ import org.keycloak.models.UserSessionModel;
 import org.keycloak.protocol.saml.SAML2AuthnRequestBuilder;
 import org.keycloak.protocol.saml.SAML2LogoutRequestBuilder;
 import org.keycloak.protocol.saml.SAML2NameIDPolicyBuilder;
+import org.keycloak.protocol.saml.SignatureAlgorithm;
 import org.keycloak.saml.common.constants.GeneralConstants;
 import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
 import org.keycloak.saml.common.exceptions.ConfigurationException;
@@ -110,6 +111,7 @@ public class SAMLIdentityProvider extends AbstractIdentityProvider<SAMLIdentityP
                 KeyPair keypair = new KeyPair(publicKey, privateKey);
 
                 authnRequestBuilder.signWith(keypair);
+                authnRequestBuilder.signatureAlgorithm(getSignatureAlgorithm());
                 authnRequestBuilder.signDocument();
             }
 
@@ -196,6 +198,7 @@ public class SAMLIdentityProvider extends AbstractIdentityProvider<SAMLIdentityP
                 .relayState(userSession.getId());
         if (getConfig().isWantAuthnRequestsSigned()) {
             logoutBuilder.signWith(realm.getPrivateKey(), realm.getPublicKey(), realm.getCertificate())
+                    .signatureAlgorithm(getSignatureAlgorithm())
                     .signDocument();
         }
         return logoutBuilder;
@@ -245,4 +248,13 @@ public class SAMLIdentityProvider extends AbstractIdentityProvider<SAMLIdentityP
                 "</EntityDescriptor>\n";
         return Response.ok(descriptor, MediaType.APPLICATION_XML_TYPE).build();
     }
+
+    public SignatureAlgorithm getSignatureAlgorithm() {
+        String alg = getConfig().getSignatureAlgorithm();
+        if (alg != null) {
+            SignatureAlgorithm algorithm = SignatureAlgorithm.valueOf(alg);
+            if (algorithm != null) return algorithm;
+        }
+        return SignatureAlgorithm.RSA_SHA256;
+    }
 }

broker/saml/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderConfig.java

@@ -87,6 +87,14 @@ public class SAMLIdentityProviderConfig extends IdentityProviderModel {
         getConfig().put("wantAuthnRequestsSigned", String.valueOf(wantAuthnRequestsSigned));
     }
 
+    public String getSignatureAlgorithm() {
+        return getConfig().get("signatureAlgorithm");
+    }
+
+    public void setSignatureAlgorithm(String signatureAlgorithm) {
+        getConfig().put("signatureAlgorithm", signatureAlgorithm);
+    }
+
     public String getEncryptionPublicKey() {
         return getConfig().get("encryptionPublicKey");
     }

connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-1.6.0.xml

@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd">
+    <changeSet author="mposolda@redhat.com" id="1.6.0">
+
+        <addColumn tableName="CLIENT">
+            <column name="OFFLINE_TOKENS_ENABLED" type="BOOLEAN" defaultValueBoolean="false">
+                <constraints nullable="false"/>
+            </column>
+        </addColumn>
+
+        <createTable tableName="OFFLINE_USER_SESSION">
+            <column name="USER_ID" type="VARCHAR(36)">
+                <constraints nullable="false"/>
+            </column>
+            <column name="USER_SESSION_ID" type="VARCHAR(36)">
+                <constraints nullable="false"/>
+            </column>
+            <column name="DATA" type="CLOB"/>
+        </createTable>
+
+        <createTable tableName="OFFLINE_CLIENT_SESSION">
+            <column name="USER_ID" type="VARCHAR(36)">
+                <constraints nullable="false"/>
+            </column>
+            <column name="CLIENT_SESSION_ID" type="VARCHAR(36)">
+                <constraints nullable="false"/>
+            </column>
+            <column name="USER_SESSION_ID" type="VARCHAR(36)">
+                <constraints nullable="false"/>
+            </column>
+            <column name="CLIENT_ID" type="VARCHAR(36)">
+                <constraints nullable="false"/>
+            </column>
+            <column name="DATA" type="CLOB"/>
+        </createTable>
+
+        <addPrimaryKey columnNames="USER_SESSION_ID" constraintName="CONSTRAINT_OFFLINE_US_SES_PK" tableName="OFFLINE_USER_SESSION"/>
+        <addPrimaryKey columnNames="CLIENT_SESSION_ID" constraintName="CONSTRAINT_OFFLINE_CL_SES_PK" tableName="OFFLINE_CLIENT_SESSION"/>
+        <addForeignKeyConstraint baseColumnNames="USER_ID" baseTableName="OFFLINE_USER_SESSION" constraintName="FK_OFFLINE_US_SES_USER" referencedColumnNames="ID" referencedTableName="USER_ENTITY"/>
+        <addForeignKeyConstraint baseColumnNames="USER_ID" baseTableName="OFFLINE_CLIENT_SESSION" constraintName="FK_OFFLINE_CL_SES_USER" referencedColumnNames="ID" referencedTableName="USER_ENTITY"/>
+        <addForeignKeyConstraint baseColumnNames="USER_SESSION_ID" baseTableName="OFFLINE_CLIENT_SESSION" constraintName="FK_OFFLINE_CL_US_SES" referencedColumnNames="USER_SESSION_ID" referencedTableName="OFFLINE_USER_SESSION"/>
+
+    </changeSet>
+</databaseChangeLog>

connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-master.xml

@@ -9,4 +9,5 @@
     <include file="META-INF/jpa-changelog-1.3.0.xml"/>
     <include file="META-INF/jpa-changelog-1.4.0.xml"/>
     <include file="META-INF/jpa-changelog-1.5.0.xml"/>
+    <include file="META-INF/jpa-changelog-1.6.0.xml"/>
 </databaseChangeLog>

connections/jpa/src/main/resources/META-INF/persistence.xml

@@ -29,6 +29,8 @@
         <class>org.keycloak.models.jpa.entities.AuthenticationExecutionEntity</class>
         <class>org.keycloak.models.jpa.entities.AuthenticatorConfigEntity</class>
         <class>org.keycloak.models.jpa.entities.RequiredActionProviderEntity</class>
+        <class>org.keycloak.models.jpa.entities.OfflineUserSessionEntity</class>
+        <class>org.keycloak.models.jpa.entities.OfflineClientSessionEntity</class>
 
         <!-- JpaAuditProviders -->
         <class>org.keycloak.events.jpa.EventEntity</class>

connections/mongo/src/main/java/org/keycloak/connections/mongo/DefaultMongoConnectionFactoryProvider.java

@@ -48,6 +48,8 @@ public class DefaultMongoConnectionFactoryProvider implements MongoConnectionPro
             "org.keycloak.models.entities.AuthenticationFlowEntity",
             "org.keycloak.models.entities.AuthenticatorConfigEntity",
             "org.keycloak.models.entities.RequiredActionProviderEntity",
+            "org.keycloak.models.entities.OfflineUserSessionEntity",
+            "org.keycloak.models.entities.OfflineClientSessionEntity",
     };
 
     private static final Logger logger = Logger.getLogger(DefaultMongoConnectionFactoryProvider.class);

core/src/main/java/org/keycloak/OAuth2Constants.java

@@ -38,6 +38,9 @@ public interface OAuth2Constants {
     // https://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-03#section-2.2
     String CLIENT_ASSERTION_TYPE_JWT = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
 
+    // http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
+    String OFFLINE_ACCESS = "offline_access";
+
 }
 
 

core/src/main/java/org/keycloak/representations/RefreshToken.java

@@ -1,6 +1,7 @@
 package org.keycloak.representations;
 
 import org.codehaus.jackson.annotate.JsonProperty;
+import org.keycloak.util.RefreshTokenUtil;
 
 import java.util.HashMap;
 import java.util.Map;
@@ -11,9 +12,8 @@ import java.util.Map;
  */
 public class RefreshToken extends AccessToken {
 
-
     private RefreshToken() {
-        type("REFRESH");
+        type(RefreshTokenUtil.TOKEN_TYPE_REFRESH);
     }
 
     /**

core/src/main/java/org/keycloak/representations/idm/ClientRepresentation.java

@@ -24,6 +24,7 @@ public class ClientRepresentation {
     protected Boolean bearerOnly;
     protected Boolean consentRequired;
     protected Boolean serviceAccountsEnabled;
+    protected Boolean offlineTokensEnabled;
     protected Boolean directGrantsOnly;
     protected Boolean publicClient;
     protected Boolean frontchannelLogout;
@@ -162,6 +163,14 @@ public class ClientRepresentation {
         this.serviceAccountsEnabled = serviceAccountsEnabled;
     }
 
+    public Boolean isOfflineTokensEnabled() {
+        return offlineTokensEnabled;
+    }
+
+    public void setOfflineTokensEnabled(Boolean offlineTokensEnabled) {
+        this.offlineTokensEnabled = offlineTokensEnabled;
+    }
+
     public Boolean isDirectGrantsOnly() {
         return directGrantsOnly;
     }

core/src/main/java/org/keycloak/util/RefreshTokenUtil.java

@@ -0,0 +1,62 @@
+package org.keycloak.util;
+
+import java.io.IOException;
+
+import org.keycloak.OAuth2Constants;
+import org.keycloak.representations.RefreshToken;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class RefreshTokenUtil {
+
+    public static final String TOKEN_TYPE_REFRESH = "REFRESH";
+
+    public static final String TOKEN_TYPE_OFFLINE = "OFFLINE";
+
+    public static boolean isOfflineTokenRequested(String scopeParam) {
+        if (scopeParam == null) {
+            return false;
+        }
+
+        String[] scopes = scopeParam.split(" ");
+        for (String scope : scopes) {
+            if (OAuth2Constants.OFFLINE_ACCESS.equals(scope)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+
+    /**
+     * Return refresh token or offline otkne
+     *
+     * @param decodedToken
+     * @return
+     */
+    public static RefreshToken getRefreshToken(byte[] decodedToken) throws IOException {
+        return JsonSerialization.readValue(decodedToken, RefreshToken.class);
+    }
+
+    private static RefreshToken getRefreshToken(String refreshToken) throws IOException {
+        byte[] decodedToken = Base64Url.decode(refreshToken);
+        return getRefreshToken(decodedToken);
+    }
+
+    /**
+     * Return true if given refreshToken represents offline token
+     *
+     * @param refreshToken
+     * @return
+     */
+    public static boolean isOfflineToken(String refreshToken) {
+        try {
+            RefreshToken token = getRefreshToken(refreshToken);
+            return token.getType().equals(TOKEN_TYPE_OFFLINE);
+        } catch (IOException ioe) {
+            throw new RuntimeException(ioe);
+        }
+    }
+
+}

docbook/reference/en/en-US/modules/auth-spi.xml

@@ -898,7 +898,7 @@ public class SecretQuestionRequiredActionFactory implements RequiredActionFactor
 }
 ]]></programlisting>
 
-                                where the <literal>mysecret</literal> needs to be replaced with the real value of client secret. You can obtain it from client admin console.
+                                where the <literal>mysecret</literal> needs to be replaced with the real value of client secret. You can obtain it from admin console from client configuration.
                             </para>
                         </listitem>
                     </varlistentry>
@@ -906,7 +906,7 @@ public class SecretQuestionRequiredActionFactory implements RequiredActionFactor
                         <term>Authentication with signed JWT</term>
                         <listitem>
                             <para>
-                                This is based on the <ulink url="https://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-03">JWT Bearer Token Profiles for OAuth 2.0</ulink> specification.
+                                This is based on the <ulink url="https://tools.ietf.org/html/rfc7523">JWT Bearer Token Profiles for OAuth 2.0</ulink> specification.
                                 The client/adapter generates the <ulink url="https://tools.ietf.org/html/rfc7519">JWT</ulink> and signs it with his private key.
                                 The Keycloak then verifies the signed JWT with the client's public key and authenticates client based on it.
                             </para>

events/api/src/main/java/org/keycloak/events/Details.java

@@ -20,6 +20,7 @@ public interface Details {
     String REMEMBER_ME = "remember_me";
     String TOKEN_ID = "token_id";
     String REFRESH_TOKEN_ID = "refresh_token_id";
+    String REFRESH_TOKEN_TYPE = "refresh_token_type";
     String VALIDATE_ACCESS_TOKEN = "validate_access_token";
     String UPDATED_REFRESH_TOKEN_ID = "updated_refresh_token_id";
     String NODE_HOST = "node_host";

forms/account-freemarker/src/main/java/org/keycloak/account/freemarker/model/ApplicationsBean.java

@@ -1,9 +1,11 @@
 package org.keycloak.account.freemarker.model;
 
+import java.util.ArrayList;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Set;
 
+import org.keycloak.OAuth2Constants;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.UserConsentModel;
 import org.keycloak.models.ProtocolMapperModel;
@@ -11,6 +13,7 @@ import org.keycloak.models.RealmModel;
 import org.keycloak.models.RoleModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.protocol.oidc.TokenManager;
+import org.keycloak.services.offline.OfflineUserSessionManager;
 import org.keycloak.util.MultivaluedHashMap;
 
 /**
@@ -21,6 +24,9 @@ public class ApplicationsBean {
     private List<ApplicationEntry> applications = new LinkedList<ApplicationEntry>();
 
     public ApplicationsBean(RealmModel realm, UserModel user) {
+
+        Set<ClientModel> offlineClients = new OfflineUserSessionManager().findClientsWithOfflineToken(realm, user);
+
         List<ClientModel> realmClients = realm.getClients();
         for (ClientModel client : realmClients) {
             // Don't show bearerOnly clients
@@ -52,7 +58,13 @@ public class ApplicationsBean {
                 }
             }
 
-            ApplicationEntry appEntry = new ApplicationEntry(realmRolesAvailable, resourceRolesAvailable, realmRolesGranted, resourceRolesGranted, client, claimsGranted);
+            List<String> additionalGrants = new ArrayList<>();
+            if (offlineClients.contains(client)) {
+                additionalGrants.add("${offlineAccess}");
+            }
+
+            ApplicationEntry appEntry = new ApplicationEntry(realmRolesAvailable, resourceRolesAvailable, realmRolesGranted, resourceRolesGranted, client,
+                    claimsGranted, additionalGrants);
             applications.add(appEntry);
         }
     }
@@ -82,16 +94,18 @@ public class ApplicationsBean {
         private final MultivaluedHashMap<String, ClientRoleEntry> resourceRolesGranted;
         private final ClientModel client;
         private final List<String> claimsGranted;
+        private final List<String> additionalGrants;
 
         public ApplicationEntry(List<RoleModel> realmRolesAvailable, MultivaluedHashMap<String, ClientRoleEntry> resourceRolesAvailable,
                                 List<RoleModel> realmRolesGranted, MultivaluedHashMap<String, ClientRoleEntry> resourceRolesGranted,
-                                ClientModel client, List<String> claimsGranted) {
+                                ClientModel client, List<String> claimsGranted, List<String> additionalGrants) {
             this.realmRolesAvailable = realmRolesAvailable;
             this.resourceRolesAvailable = resourceRolesAvailable;
             this.realmRolesGranted = realmRolesGranted;
             this.resourceRolesGranted = resourceRolesGranted;
             this.client = client;
             this.claimsGranted = claimsGranted;
+            this.additionalGrants = additionalGrants;
         }
 
         public List<RoleModel> getRealmRolesAvailable() {
@@ -118,6 +132,9 @@ public class ApplicationsBean {
             return claimsGranted;
         }
 
+        public List<String> getAdditionalGrants() {
+            return additionalGrants;
+        }
     }
 
     // Same class used in OAuthGrantBean as well. Maybe should be merged into common-freemarker...

forms/common-themes/src/main/resources/theme/base/account/applications.ftl

@@ -18,6 +18,7 @@
                 <td>${msg("availablePermissions")}</td>
                 <td>${msg("grantedPermissions")}</td>
                 <td>${msg("grantedPersonalInfo")}</td>
+                <td>${msg("additionalGrants")}</td>
                 <td>${msg("action")}</td>
               </tr>
             </thead>
@@ -76,7 +77,13 @@
                     </td>
 
                     <td>
-                        <#if application.client.consentRequired && application.claimsGranted?has_content>
+                       <#list application.additionalGrants as grant>
+                            ${advancedMsg(grant)}<#if grant_has_next>, </#if>
+                        </#list>
+                    </td>
+
+                    <td>
+                        <#if (application.client.consentRequired && application.claimsGranted?has_content) || application.additionalGrants?has_content>
                             <button type='submit' class='${properties.kcButtonClass!} ${properties.kcButtonPrimaryClass!}' id='revoke-${application.client.clientId}' name='clientId' value="${application.client.id}">${msg("revoke")}</button>
                         </#if>
                     </td>

forms/common-themes/src/main/resources/theme/base/account/messages/messages_en.properties

@@ -85,9 +85,11 @@ application=Application
 availablePermissions=Available Permissions
 grantedPermissions=Granted Permissions
 grantedPersonalInfo=Granted Personal Info
+additionalGrants=Additional Grants
 action=Action
 inResource=in
 fullAccess=Full Access
+offlineAccess=Offline Access
 revoke=Revoke Grant
 
 configureAuthenticators=Configured Authenticators

forms/common-themes/src/main/resources/theme/base/admin/resources/js/controllers/realm.js

@@ -693,10 +693,17 @@ module.controller('RealmIdentityProviderCtrl', function($scope, $filter, $upload
 
             }
         ];
+        $scope.signatureAlgorithms = [
+            "RSA_SHA1",
+            "RSA_SHA256",
+            "RSA_SHA512",
+            "DSA_SHA1"
+        ];
         if (instance && instance.alias) {
 
         } else {
             $scope.identityProvider.config.nameIDPolicyFormat = $scope.nameIdFormats[0].format;
+            $scope.identityProvider.config.signatureAlgorithm = $scope.signatureAlgorithms[1];
             $scope.identityProvider.updateProfileFirstLoginMode = "off";
         }
     }

forms/common-themes/src/main/resources/theme/base/admin/resources/partials/client-detail.html

@@ -79,6 +79,13 @@
                     <input ng-model="client.serviceAccountsEnabled" name="serviceAccountsEnabled" id="serviceAccountsEnabled" onoffswitch />
                 </div>
             </div>
+            <div class="form-group" data-ng-show="protocol == 'openid-connect' && !client.bearerOnly">
+                <label class="col-md-2 control-label" for="offlineTokensEnabled">Offline Tokens Enabled</label>
+                <kc-tooltip>Allows you to retrieve offline tokens for users. Offline token can be stored by client application and is valid even if user is not logged anymore.</kc-tooltip>
+                <div class="col-md-6">
+                    <input ng-model="client.offlineTokensEnabled" name="offlineTokensEnabled" id="offlineTokensEnabled" onoffswitch />
+                </div>
+            </div>
             <div class="form-group clearfix block" data-ng-show="protocol == 'saml'">
                 <label class="col-md-2 control-label" for="samlServerSignature">Include AuthnStatement</label>
                 <div class="col-sm-6">

forms/common-themes/src/main/resources/theme/base/admin/resources/partials/password-policy.html

@@ -34,7 +34,7 @@
                            placeholder="No value assigned" min="1" required>
                 </td>
                 <td class="kc-action-cell">
-                    <button class="btn btn-default btn-block btn-sm" ng-click="removePolicy($index)">Delete</button>
+                    <button type="button" class="btn btn-default btn-block btn-sm" ng-click="removePolicy($index)">Delete</button>
                 </td>
             </tr>
             </tbody>

forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-saml.html

@@ -135,6 +135,18 @@
                 </div>
                 <kc-tooltip> Indicates whether the identity provider expects signed a AuthnRequest.</kc-tooltip>
             </div>
+            <div class="form-group" data-ng-show="identityProvider.config.wantAuthnRequestsSigned == 'true'">
+                <label class="col-md-2 control-label" for="signatureAlgorithm">Signature Algorithm</label>
+                <div class="col-sm-6">
+                    <div>
+                        <select class="form-control" id="signatureAlgorithm"
+                                ng-model="identityProvider.config.signatureAlgorithm"
+                                ng-options="alg for alg in signatureAlgorithms">
+                        </select>
+                    </div>
+                </div>
+                <kc-tooltip>The signature algorithm to use to sign documents.</kc-tooltip>
+            </div>
             <div class="form-group">
                 <label class="col-md-2 control-label" for="forceAuthn">Force Authentication</label>
                 <div class="col-md-6">

forms/common-themes/src/main/resources/theme/base/login/login-update-profile.ftl

@@ -6,6 +6,16 @@
         ${msg("loginProfileTitle")}
     <#elseif section = "form">
         <form id="kc-update-profile-form" class="${properties.kcFormClass!}" action="${url.loginAction}" method="post">
+            <#if realm.editUsernameAllowed>
+                <div class="${properties.kcFormGroupClass!} ${messagesPerField.printIfExists('username',properties.kcFormGroupErrorClass!)}">
+                    <div class="${properties.kcLabelWrapperClass!}">
+                        <label for="username" class="${properties.kcLabelClass!}">${msg("username")}</label>
+                    </div>
+                    <div class="${properties.kcInputWrapperClass!}">
+                        <input type="text" id="username" name="username" value="${(user.username!'')?html}" class="${properties.kcInputClass!}"/>
+                    </div>
+                </div>
+            </#if>
             <div class="${properties.kcFormGroupClass!} ${messagesPerField.printIfExists('email',properties.kcFormGroupErrorClass!)}">
                 <div class="${properties.kcLabelWrapperClass!}">
                     <label for="email" class="${properties.kcLabelClass!}">${msg("email")}</label>

forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/model/ProfileBean.java

@@ -70,6 +70,8 @@ public class ProfileBean {
 
     }
 
+    public String getUsername() { return formData != null ? formData.getFirst("username") : user.getUsername(); }
+
     public String getFirstName() {
         return formData != null ? formData.getFirst("firstName") : user.getFirstName();
     }

forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/model/RealmBean.java

@@ -66,6 +66,10 @@ public class RealmBean {
         return realm.isInternationalizationEnabled();
     }
 
+    public boolean isEditUsernameAllowed() {
+        return realm.isEditUsernameAllowed();
+    }
+
     public boolean isPassword() {
         for (RequiredCredentialModel r : realm.getRequiredCredentials()) {
             if (r.getType().equals(CredentialRepresentation.PASSWORD)) {

integration/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java

@@ -135,6 +135,9 @@ public class OAuthRequestAuthenticator {
         String idpHint = getQueryParamValue(AdapterConstants.KC_IDP_HINT);
         url = UriUtils.stripQueryParam(url, AdapterConstants.KC_IDP_HINT);
 
+        String scope = getQueryParamValue(OAuth2Constants.SCOPE);
+        url = UriUtils.stripQueryParam(url, OAuth2Constants.SCOPE);
+
         KeycloakUriBuilder redirectUriBuilder = deployment.getAuthUrl().clone()
                 .queryParam(OAuth2Constants.RESPONSE_TYPE, OAuth2Constants.CODE)
                 .queryParam(OAuth2Constants.CLIENT_ID, deployment.getResourceName())
@@ -147,6 +150,9 @@ public class OAuthRequestAuthenticator {
         if (idpHint != null && idpHint.length() > 0) {
             redirectUriBuilder.queryParam(AdapterConstants.KC_IDP_HINT,idpHint);
         }
+        if (scope != null && scope.length() > 0) {
+            redirectUriBuilder.queryParam(OAuth2Constants.SCOPE, scope);
+        }
 
         return redirectUriBuilder.build().toString();
     }

integration/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java

@@ -117,7 +117,12 @@ public class RefreshableKeycloakSecurityContext extends KeycloakSecurityContext
         }
 
         this.token = token;
-        this.refreshToken = response.getRefreshToken();
+        if (response.getRefreshToken() != null) {
+            if (log.isTraceEnabled()) {
+                log.trace("Setup new refresh token to the security context");
+            }
+            this.refreshToken = response.getRefreshToken();
+        }
         this.tokenString = tokenString;
         tokenStore.refreshCallback(this);
         return true;

integration/adapter-core/src/main/java/org/keycloak/adapters/authentication/ClientCredentialsProvider.java

@@ -14,7 +14,7 @@ import org.keycloak.adapters.KeycloakDeployment;
  *
  * You must specify a file
  * META-INF/services/org.keycloak.adapters.authentication.ClientCredentialsProvider in the WAR that this class is contained in (or in the JAR that is attached to the WEB-INF/lib or as jboss module
- * if you want to share the implementation among more WARs). This file must have the fully qualified class name of all your ClientAuthenticatorFactory classes
+ * if you want to share the implementation among more WARs).
  *
  * NOTE: The SPI is not finished and method signatures are still subject to change in future versions (for example to support
  * authentication with client certificate)

integration/adapter-core/src/main/java/org/keycloak/adapters/authentication/JWTClientCredentialsProvider.java

@@ -13,7 +13,7 @@ import org.keycloak.util.Time;
 
 /**
  * Client authentication based on JWT signed by client private key .
- * See <a href="https://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-03">specs</a> for more details.
+ * See <a href="https://tools.ietf.org/html/rfc7519">specs</a> for more details.
  *
  * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
  */

integration/js/src/main/resources/keycloak.js

@@ -164,6 +164,10 @@
                 url += '&kc_idp_hint=' + options.idpHint;
             }
 
+            if (options && options.scope) {
+                url += '&scope=' + options.scope;
+            }
+
             return url;
         }
 

model/api/src/main/java/org/keycloak/models/ClientModel.java

@@ -109,6 +109,9 @@ public interface ClientModel extends RoleContainerModel {
     boolean isServiceAccountsEnabled();
     void setServiceAccountsEnabled(boolean serviceAccountsEnabled);
 
+    boolean isOfflineTokensEnabled();
+    void setOfflineTokensEnabled(boolean offlineTokensEnabled);
+
     Set<RoleModel> getScopeMappings();
     void addScopeMapping(RoleModel role);
     void deleteScopeMapping(RoleModel role);

model/api/src/main/java/org/keycloak/models/OfflineClientSessionModel.java

@@ -0,0 +1,44 @@
+package org.keycloak.models;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class OfflineClientSessionModel {
+
+    private String clientSessionId;
+    private String userSessionId;
+    private String clientId;
+    private String data;
+
+    public String getClientSessionId() {
+        return clientSessionId;
+    }
+
+    public void setClientSessionId(String clientSessionId) {
+        this.clientSessionId = clientSessionId;
+    }
+
+    public String getUserSessionId() {
+        return userSessionId;
+    }
+
+    public void setUserSessionId(String userSessionId) {
+        this.userSessionId = userSessionId;
+    }
+
+    public String getClientId() {
+        return clientId;
+    }
+
+    public void setClientId(String clientId) {
+        this.clientId = clientId;
+    }
+
+    public String getData() {
+        return data;
+    }
+
+    public void setData(String data) {
+        this.data = data;
+    }
+}

model/api/src/main/java/org/keycloak/models/OfflineUserSessionModel.java

@@ -0,0 +1,26 @@
+package org.keycloak.models;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class OfflineUserSessionModel {
+
+    private String userSessionId;
+    private String data;
+
+    public String getUserSessionId() {
+        return userSessionId;
+    }
+
+    public void setUserSessionId(String userSessionId) {
+        this.userSessionId = userSessionId;
+    }
+
+    public String getData() {
+        return data;
+    }
+
+    public void setData(String data) {
+        this.data = data;
+    }
+}

model/api/src/main/java/org/keycloak/models/UserModel.java

@@ -1,5 +1,6 @@
 package org.keycloak.models;
 
+import java.util.Collection;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -113,6 +114,15 @@ public interface UserModel {
     void updateConsent(UserConsentModel consent);
     boolean revokeConsentForClient(String clientInternalId);
 
+    void addOfflineUserSession(OfflineUserSessionModel offlineUserSession);
+    OfflineUserSessionModel getOfflineUserSession(String userSessionId);
+    Collection<OfflineUserSessionModel> getOfflineUserSessions();
+    boolean removeOfflineUserSession(String userSessionId);
+    void addOfflineClientSession(OfflineClientSessionModel offlineClientSession);
+    OfflineClientSessionModel getOfflineClientSession(String clientSessionId);
+    Collection<OfflineClientSessionModel> getOfflineClientSessions();
+    boolean removeOfflineClientSession(String clientSessionId);
+
     public static enum RequiredAction {
         VERIFY_EMAIL, UPDATE_PROFILE, CONFIGURE_TOTP, UPDATE_PASSWORD
     }

model/api/src/main/java/org/keycloak/models/UserSessionModel.java

@@ -40,6 +40,7 @@ public interface UserSessionModel {
     public String getNote(String name);
     public void setNote(String name, String value);
     public void removeNote(String name);
+    public Map<String, String> getNotes();
 
     State getState();
     void setState(State state);

model/api/src/main/java/org/keycloak/models/entities/ClientEntity.java

@@ -28,6 +28,7 @@ public class ClientEntity extends AbstractIdentifiableEntity {
     private boolean bearerOnly;
     private boolean consentRequired;
     private boolean serviceAccountsEnabled;
+    private boolean offlineTokensEnabled;
     private boolean directGrantsOnly;
     private int nodeReRegistrationTimeout;
 
@@ -228,6 +229,14 @@ public class ClientEntity extends AbstractIdentifiableEntity {
         this.serviceAccountsEnabled = serviceAccountsEnabled;
     }
 
+    public boolean isOfflineTokensEnabled() {
+        return offlineTokensEnabled;
+    }
+
+    public void setOfflineTokensEnabled(boolean offlineTokensEnabled) {
+        this.offlineTokensEnabled = offlineTokensEnabled;
+    }
+
     public boolean isDirectGrantsOnly() {
         return directGrantsOnly;
     }

model/api/src/main/java/org/keycloak/models/entities/OfflineClientSessionEntity.java

@@ -0,0 +1,35 @@
+package org.keycloak.models.entities;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class OfflineClientSessionEntity {
+
+    private String clientSessionId;
+    private String clientId;
+    private String data;
+
+    public String getClientSessionId() {
+        return clientSessionId;
+    }
+
+    public void setClientSessionId(String clientSessionId) {
+        this.clientSessionId = clientSessionId;
+    }
+
+    public String getClientId() {
+        return clientId;
+    }
+
+    public void setClientId(String clientId) {
+        this.clientId = clientId;
+    }
+
+    public String getData() {
+        return data;
+    }
+
+    public void setData(String data) {
+        this.data = data;
+    }
+}

model/api/src/main/java/org/keycloak/models/entities/OfflineUserSessionEntity.java

@@ -0,0 +1,37 @@
+package org.keycloak.models.entities;
+
+import java.util.List;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class OfflineUserSessionEntity {
+
+    private String userSessionId;
+    private String data;
+    private List<OfflineClientSessionEntity> offlineClientSessions;
+
+    public String getUserSessionId() {
+        return userSessionId;
+    }
+
+    public void setUserSessionId(String userSessionId) {
+        this.userSessionId = userSessionId;
+    }
+
+    public String getData() {
+        return data;
+    }
+
+    public void setData(String data) {
+        this.data = data;
+    }
+
+    public List<OfflineClientSessionEntity> getOfflineClientSessions() {
+        return offlineClientSessions;
+    }
+
+    public void setOfflineClientSessions(List<OfflineClientSessionEntity> offlineClientSessions) {
+        this.offlineClientSessions = offlineClientSessions;
+    }
+}

model/api/src/main/java/org/keycloak/models/entities/UserEntity.java

@@ -28,6 +28,7 @@ public class UserEntity extends AbstractIdentifiableEntity {
     private List<FederatedIdentityEntity> federatedIdentities;
     private String federationLink;
     private String serviceAccountClientLink;
+    private List<OfflineUserSessionEntity> offlineUserSessions;
 
     public String getUsername() {
         return username;
@@ -157,5 +158,13 @@ public class UserEntity extends AbstractIdentifiableEntity {
     public void setServiceAccountClientLink(String serviceAccountClientLink) {
         this.serviceAccountClientLink = serviceAccountClientLink;
     }
+
+    public List<OfflineUserSessionEntity> getOfflineUserSessions() {
+        return offlineUserSessions;
+    }
+
+    public void setOfflineUserSessions(List<OfflineUserSessionEntity> offlineUserSessions) {
+        this.offlineUserSessions = offlineUserSessions;
+    }
 }
 

model/api/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java

@@ -303,6 +303,7 @@ public class ModelToRepresentation {
         rep.setBearerOnly(clientModel.isBearerOnly());
         rep.setConsentRequired(clientModel.isConsentRequired());
         rep.setServiceAccountsEnabled(clientModel.isServiceAccountsEnabled());
+        rep.setOfflineTokensEnabled(clientModel.isOfflineTokensEnabled());
         rep.setDirectGrantsOnly(clientModel.isDirectGrantsOnly());
         rep.setSurrogateAuthRequired(clientModel.isSurrogateAuthRequired());
         rep.setBaseUrl(clientModel.getBaseUrl());

model/api/src/main/java/org/keycloak/models/utils/RepresentationToModel.java

@@ -692,6 +692,7 @@ public class RepresentationToModel {
         if (resourceRep.isBearerOnly() != null) client.setBearerOnly(resourceRep.isBearerOnly());
         if (resourceRep.isConsentRequired() != null) client.setConsentRequired(resourceRep.isConsentRequired());
         if (resourceRep.isServiceAccountsEnabled() != null) client.setServiceAccountsEnabled(resourceRep.isServiceAccountsEnabled());
+        if (resourceRep.isOfflineTokensEnabled() != null) client.setOfflineTokensEnabled(resourceRep.isOfflineTokensEnabled());
         if (resourceRep.isDirectGrantsOnly() != null) client.setDirectGrantsOnly(resourceRep.isDirectGrantsOnly());
         if (resourceRep.isPublicClient() != null) client.setPublicClient(resourceRep.isPublicClient());
         if (resourceRep.isFrontchannelLogout() != null) client.setFrontchannelLogout(resourceRep.isFrontchannelLogout());
@@ -788,6 +789,7 @@ public class RepresentationToModel {
         if (rep.isBearerOnly() != null) resource.setBearerOnly(rep.isBearerOnly());
         if (rep.isConsentRequired() != null) resource.setConsentRequired(rep.isConsentRequired());
         if (rep.isServiceAccountsEnabled() != null) resource.setServiceAccountsEnabled(rep.isServiceAccountsEnabled());
+        if (rep.isOfflineTokensEnabled() != null) resource.setOfflineTokensEnabled(rep.isOfflineTokensEnabled());
         if (rep.isDirectGrantsOnly() != null) resource.setDirectGrantsOnly(rep.isDirectGrantsOnly());
         if (rep.isPublicClient() != null) resource.setPublicClient(rep.isPublicClient());
         if (rep.isFullScopeAllowed() != null) resource.setFullScopeAllowed(rep.isFullScopeAllowed());

model/api/src/main/java/org/keycloak/models/utils/UserModelDelegate.java

@@ -1,12 +1,15 @@
 package org.keycloak.models.utils;
 
 import org.keycloak.models.ClientModel;
+import org.keycloak.models.OfflineClientSessionModel;
+import org.keycloak.models.OfflineUserSessionModel;
 import org.keycloak.models.UserConsentModel;
 import org.keycloak.models.RoleModel;
 import org.keycloak.models.UserCredentialModel;
 import org.keycloak.models.UserCredentialValueModel;
 import org.keycloak.models.UserModel;
 
+import java.util.Collection;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -255,4 +258,44 @@ public class UserModelDelegate implements UserModel {
     public void setCreatedTimestamp(Long timestamp){
         delegate.setCreatedTimestamp(timestamp);
     }
+
+    @Override
+    public void addOfflineUserSession(OfflineUserSessionModel userSession) {
+        delegate.addOfflineUserSession(userSession);
+    }
+
+    @Override
+    public OfflineUserSessionModel getOfflineUserSession(String userSessionId) {
+        return delegate.getOfflineUserSession(userSessionId);
+    }
+
+    @Override
+    public Collection<OfflineUserSessionModel> getOfflineUserSessions() {
+        return delegate.getOfflineUserSessions();
+    }
+
+    @Override
+    public boolean removeOfflineUserSession(String userSessionId) {
+        return delegate.removeOfflineUserSession(userSessionId);
+    }
+
+    @Override
+    public void addOfflineClientSession(OfflineClientSessionModel clientSession) {
+        delegate.addOfflineClientSession(clientSession);
+    }
+
+    @Override
+    public OfflineClientSessionModel getOfflineClientSession(String clientSessionId) {
+        return delegate.getOfflineClientSession(clientSessionId);
+    }
+
+    @Override
+    public Collection<OfflineClientSessionModel> getOfflineClientSessions() {
+        return delegate.getOfflineClientSessions();
+    }
+
+    @Override
+    public boolean removeOfflineClientSession(String clientSessionId) {
+        return delegate.removeOfflineClientSession(clientSessionId);
+    }
 }

model/file/src/main/java/org/keycloak/models/file/adapter/ClientAdapter.java

@@ -461,6 +461,16 @@ public class ClientAdapter implements ClientModel {
         entity.setServiceAccountsEnabled(serviceAccountsEnabled);
     }
 
+    @Override
+    public boolean isOfflineTokensEnabled() {
+        return entity.isOfflineTokensEnabled();
+    }
+
+    @Override
+    public void setOfflineTokensEnabled(boolean offlineTokensEnabled) {
+        entity.setOfflineTokensEnabled(offlineTokensEnabled);
+    }
+
     @Override
     public boolean isDirectGrantsOnly() {
         return entity.isDirectGrantsOnly();

model/file/src/main/java/org/keycloak/models/file/adapter/UserAdapter.java

@@ -22,7 +22,10 @@ import org.keycloak.models.ClientModel;
 import static org.keycloak.models.utils.Pbkdf2PasswordEncoder.getSalt;
 
 import org.keycloak.models.ModelDuplicateException;
+import org.keycloak.models.ModelException;
 import org.keycloak.models.OTPPolicy;
+import org.keycloak.models.OfflineClientSessionModel;
+import org.keycloak.models.OfflineUserSessionModel;
 import org.keycloak.models.UserConsentModel;
 import org.keycloak.models.PasswordPolicy;
 import org.keycloak.models.RealmModel;
@@ -32,6 +35,8 @@ import org.keycloak.models.UserCredentialValueModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.entities.CredentialEntity;
 import org.keycloak.models.entities.FederatedIdentityEntity;
+import org.keycloak.models.entities.OfflineClientSessionEntity;
+import org.keycloak.models.entities.OfflineUserSessionEntity;
 import org.keycloak.models.entities.RoleEntity;
 import org.keycloak.models.entities.UserEntity;
 import org.keycloak.models.utils.KeycloakModelUtils;
@@ -39,6 +44,7 @@ import org.keycloak.models.utils.Pbkdf2PasswordEncoder;
 import org.keycloak.util.Time;
 
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.Comparator;
 import java.util.HashMap;
@@ -216,7 +222,7 @@ public class UserAdapter implements UserModel, Comparable {
 
     @Override
     public Map<String, List<String>> getAttributes() {
-        return user.getAttributes()==null ? Collections.<String, List<String>>emptyMap() : Collections.unmodifiableMap((Map)user.getAttributes());
+        return user.getAttributes()==null ? Collections.<String, List<String>>emptyMap() : Collections.unmodifiableMap((Map) user.getAttributes());
     }
 
     @Override
@@ -568,6 +574,142 @@ public class UserAdapter implements UserModel, Comparable {
         return false;
     }
 
+    @Override
+    public void addOfflineUserSession(OfflineUserSessionModel userSession) {
+        if (user.getOfflineUserSessions() == null) {
+            user.setOfflineUserSessions(new ArrayList<OfflineUserSessionEntity>());
+        }
+
+        if (getUserSessionEntityById(userSession.getUserSessionId()) != null) {
+            throw new ModelDuplicateException("User session already exists with id " + userSession.getUserSessionId() + " for user " + user.getUsername());
+        }
+
+        OfflineUserSessionEntity entity = new OfflineUserSessionEntity();
+        entity.setUserSessionId(userSession.getUserSessionId());
+        entity.setData(userSession.getData());
+        entity.setOfflineClientSessions(new ArrayList<OfflineClientSessionEntity>());
+        user.getOfflineUserSessions().add(entity);
+    }
+
+    @Override
+    public OfflineUserSessionModel getOfflineUserSession(String userSessionId) {
+        OfflineUserSessionEntity entity = getUserSessionEntityById(userSessionId);
+        return entity==null ? null : toModel(entity);
+    }
+
+    @Override
+    public Collection<OfflineUserSessionModel> getOfflineUserSessions() {
+        if (user.getOfflineUserSessions()==null) {
+            return Collections.emptyList();
+        } else {
+            List<OfflineUserSessionModel> result = new ArrayList<>();
+            for (OfflineUserSessionEntity entity : user.getOfflineUserSessions()) {
+                result.add(toModel(entity));
+            }
+            return result;
+        }
+    }
+
+    private OfflineUserSessionModel toModel(OfflineUserSessionEntity entity) {
+        OfflineUserSessionModel model = new OfflineUserSessionModel();
+        model.setUserSessionId(entity.getUserSessionId());
+        model.setData(entity.getData());
+        return model;
+    }
+
+    @Override
+    public boolean removeOfflineUserSession(String userSessionId) {
+        OfflineUserSessionEntity entity = getUserSessionEntityById(userSessionId);
+        if (entity != null) {
+            user.getOfflineUserSessions().remove(entity);
+            return true;
+        } else {
+            return false;
+        }
+    }
+
+    private OfflineUserSessionEntity getUserSessionEntityById(String userSessionId) {
+        if (user.getOfflineUserSessions() != null) {
+            for (OfflineUserSessionEntity entity : user.getOfflineUserSessions()) {
+                if (entity.getUserSessionId().equals(userSessionId)) {
+                    return entity;
+                }
+            }
+        }
+        return null;
+    }
+
+    @Override
+    public void addOfflineClientSession(OfflineClientSessionModel clientSession) {
+        OfflineUserSessionEntity userSessionEntity = getUserSessionEntityById(clientSession.getUserSessionId());
+        if (userSessionEntity == null) {
+            throw new ModelException("OfflineUserSession with ID " + clientSession.getUserSessionId() + " doesn't exist for user " + user.getUsername());
+        }
+
+        OfflineClientSessionEntity clEntity = new OfflineClientSessionEntity();
+        clEntity.setClientSessionId(clientSession.getClientSessionId());
+        clEntity.setClientId(clientSession.getClientId());
+        clEntity.setData(clientSession.getData());
+
+        userSessionEntity.getOfflineClientSessions().add(clEntity);
+    }
+
+    @Override
+    public OfflineClientSessionModel getOfflineClientSession(String clientSessionId) {
+        if (user.getOfflineUserSessions() != null) {
+            for (OfflineUserSessionEntity userSession : user.getOfflineUserSessions()) {
+                for (OfflineClientSessionEntity clSession : userSession.getOfflineClientSessions()) {
+                    if (clSession.getClientSessionId().equals(clientSessionId)) {
+                        return toModel(clSession, userSession.getUserSessionId());
+                    }
+                }
+            }
+        }
+
+        return null;
+    }
+
+    private OfflineClientSessionModel toModel(OfflineClientSessionEntity cls, String userSessionId) {
+        OfflineClientSessionModel model = new OfflineClientSessionModel();
+        model.setClientSessionId(cls.getClientSessionId());
+        model.setClientId(cls.getClientId());
+        model.setData(cls.getData());
+        model.setUserSessionId(userSessionId);
+        return model;
+    }
+
+    @Override
+    public Collection<OfflineClientSessionModel> getOfflineClientSessions() {
+        List<OfflineClientSessionModel> result = new ArrayList<>();
+
+        if (user.getOfflineUserSessions() != null) {
+            for (OfflineUserSessionEntity userSession : user.getOfflineUserSessions()) {
+                for (OfflineClientSessionEntity clSession : userSession.getOfflineClientSessions()) {
+                    result.add(toModel(clSession, userSession.getUserSessionId()));
+                }
+            }
+        }
+
+        return result;
+    }
+
+    @Override
+    public boolean removeOfflineClientSession(String clientSessionId) {
+        if (user.getOfflineUserSessions() != null) {
+            for (OfflineUserSessionEntity userSession : user.getOfflineUserSessions()) {
+                for (OfflineClientSessionEntity clSession : userSession.getOfflineClientSessions()) {
+                    if (clSession.getClientSessionId().equals(clientSessionId)) {
+                        userSession.getOfflineClientSessions().remove(clSession);
+                        return true;
+                    }
+                }
+            }
+        }
+
+        return false;
+    }
+
+
     @Override
     public boolean equals(Object o) {
         if (this == o) return true;

model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/ClientAdapter.java

@@ -430,6 +430,18 @@ public class ClientAdapter implements ClientModel {
         updated.setServiceAccountsEnabled(serviceAccountsEnabled);
     }
 
+    @Override
+    public boolean isOfflineTokensEnabled() {
+        if (updated != null) return updated.isOfflineTokensEnabled();
+        return cached.isOfflineTokensEnabled();
+    }
+
+    @Override
+    public void setOfflineTokensEnabled(boolean offlineTokensEnabled) {
+        getDelegateForUpdate();
+        updated.setOfflineTokensEnabled(offlineTokensEnabled);
+    }
+
     @Override
     public RoleModel getRole(String name) {
         if (updated != null) return updated.getRole(name);

model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/DefaultCacheUserProvider.java

@@ -319,6 +319,7 @@ public class DefaultCacheUserProvider implements CacheUserProvider {
 
     @Override
     public void preRemove(RealmModel realm, ClientModel client) {
+        realmInvalidations.add(realm.getId()); // easier to just invalidate whole realm
         getDelegate().preRemove(realm, client);
     }
 

model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/UserAdapter.java

@@ -348,4 +348,52 @@ public class UserAdapter implements UserModel {
         getDelegateForUpdate();
         return updated.revokeConsentForClient(clientId);
     }
+
+    @Override
+    public void addOfflineUserSession(OfflineUserSessionModel userSession) {
+        getDelegateForUpdate();
+        updated.addOfflineUserSession(userSession);
+    }
+
+    @Override
+    public OfflineUserSessionModel getOfflineUserSession(String userSessionId) {
+        if (updated != null) return updated.getOfflineUserSession(userSessionId);
+        return cached.getOfflineUserSessions().get(userSessionId);
+    }
+
+    @Override
+    public Collection<OfflineUserSessionModel> getOfflineUserSessions() {
+        if (updated != null) return updated.getOfflineUserSessions();
+        return cached.getOfflineUserSessions().values();
+    }
+
+    @Override
+    public boolean removeOfflineUserSession(String userSessionId) {
+        getDelegateForUpdate();
+        return updated.removeOfflineUserSession(userSessionId);
+    }
+
+    @Override
+    public void addOfflineClientSession(OfflineClientSessionModel clientSession) {
+        getDelegateForUpdate();
+        updated.addOfflineClientSession(clientSession);
+    }
+
+    @Override
+    public OfflineClientSessionModel getOfflineClientSession(String clientSessionId) {
+        if (updated != null) return updated.getOfflineClientSession(clientSessionId);
+        return cached.getOfflineClientSessions().get(clientSessionId);
+    }
+
+    @Override
+    public Collection<OfflineClientSessionModel> getOfflineClientSessions() {
+        if (updated != null) return updated.getOfflineClientSessions();
+        return cached.getOfflineClientSessions().values();
+    }
+
+    @Override
+    public boolean removeOfflineClientSession(String clientSessionId) {
+        getDelegateForUpdate();
+        return updated.removeOfflineClientSession(clientSessionId);
+    }
 }

model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedClient.java

@@ -47,6 +47,7 @@ public class CachedClient implements Serializable {
     private boolean bearerOnly;
     private boolean consentRequired;
     private boolean serviceAccountsEnabled;
+    private boolean offlineTokensEnabled;
     private Map<String, String> roles = new HashMap<String, String>();
     private int nodeReRegistrationTimeout;
     private Map<String, Integer> registeredNodes;
@@ -81,6 +82,7 @@ public class CachedClient implements Serializable {
         bearerOnly = model.isBearerOnly();
         consentRequired = model.isConsentRequired();
         serviceAccountsEnabled = model.isServiceAccountsEnabled();
+        offlineTokensEnabled = model.isOfflineTokensEnabled();
         for (RoleModel role : model.getRoles()) {
             roles.put(role.getName(), role.getId());
             cache.addCachedRole(new CachedClientRole(id, role, realm));
@@ -189,6 +191,10 @@ public class CachedClient implements Serializable {
         return serviceAccountsEnabled;
     }
 
+    public boolean isOfflineTokensEnabled() {
+        return offlineTokensEnabled;
+    }
+
     public Map<String, String> getRoles() {
         return roles;
     }

model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedUser.java

@@ -1,5 +1,7 @@
 package org.keycloak.models.cache.entities;
 
+import org.keycloak.models.OfflineClientSessionModel;
+import org.keycloak.models.OfflineUserSessionModel;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.RoleModel;
 import org.keycloak.models.UserCredentialValueModel;
@@ -7,9 +9,11 @@ import org.keycloak.models.UserModel;
 import org.keycloak.util.MultivaluedHashMap;
 
 import java.io.Serializable;
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.LinkedList;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 
 /**
@@ -33,6 +37,8 @@ public class CachedUser implements Serializable {
     private MultivaluedHashMap<String, String> attributes = new MultivaluedHashMap<>();
     private Set<String> requiredActions = new HashSet<>();
     private Set<String> roleMappings = new HashSet<String>();
+    private Map<String, OfflineUserSessionModel> offlineUserSessions = new HashMap<>();
+    private Map<String, OfflineClientSessionModel> offlineClientSessions = new HashMap<>();
 
     public CachedUser(RealmModel realm, UserModel user) {
         this.id = user.getId();
@@ -53,6 +59,12 @@ public class CachedUser implements Serializable {
         for (RoleModel role : user.getRoleMappings()) {
             roleMappings.add(role.getId());
         }
+        for (OfflineUserSessionModel offlineSession : user.getOfflineUserSessions()) {
+            offlineUserSessions.put(offlineSession.getUserSessionId(), offlineSession);
+        }
+        for (OfflineClientSessionModel offlineSession : user.getOfflineClientSessions()) {
+            offlineClientSessions.put(offlineSession.getClientSessionId(), offlineSession);
+        }
     }
 
     public String getId() {
@@ -118,4 +130,12 @@ public class CachedUser implements Serializable {
     public String getServiceAccountClientLink() {
         return serviceAccountClientLink;
     }
+
+    public Map<String, OfflineUserSessionModel> getOfflineUserSessions() {
+        return offlineUserSessions;
+    }
+
+    public Map<String, OfflineClientSessionModel> getOfflineClientSessions() {
+        return offlineClientSessions;
+    }
 }

model/jpa/src/main/java/org/keycloak/models/jpa/ClientAdapter.java

@@ -481,6 +481,16 @@ public class ClientAdapter implements ClientModel {
         entity.setServiceAccountsEnabled(serviceAccountsEnabled);
     }
 
+    @Override
+    public boolean isOfflineTokensEnabled() {
+        return entity.isOfflineTokensEnabled();
+    }
+
+    @Override
+    public void setOfflineTokensEnabled(boolean offlineTokensEnabled) {
+        entity.setOfflineTokensEnabled(offlineTokensEnabled);
+    }
+
     @Override
     public boolean isDirectGrantsOnly() {
         return entity.isDirectGrantsOnly();

model/jpa/src/main/java/org/keycloak/models/jpa/JpaUserProvider.java

@@ -169,6 +169,10 @@ public class JpaUserProvider implements UserProvider {
                 .setParameter("realmId", realm.getId()).executeUpdate();
         num = em.createNamedQuery("deleteUserAttributesByRealm")
                 .setParameter("realmId", realm.getId()).executeUpdate();
+        num = em.createNamedQuery("deleteOfflineClientSessionsByRealm")
+                .setParameter("realmId", realm.getId()).executeUpdate();
+        num = em.createNamedQuery("deleteOfflineUserSessionsByRealm")
+                .setParameter("realmId", realm.getId()).executeUpdate();
         num = em.createNamedQuery("deleteUsersByRealm")
                 .setParameter("realmId", realm.getId()).executeUpdate();
     }
@@ -195,6 +199,14 @@ public class JpaUserProvider implements UserProvider {
                 .setParameter("realmId", realm.getId())
                 .setParameter("link", link.getId())
                 .executeUpdate();
+        num = em.createNamedQuery("deleteOfflineClientSessionsByRealmAndLink")
+                .setParameter("realmId", realm.getId())
+                .setParameter("link", link.getId())
+                .executeUpdate();
+        num = em.createNamedQuery("deleteOfflineUserSessionsByRealmAndLink")
+                .setParameter("realmId", realm.getId())
+                .setParameter("link", link.getId())
+                .executeUpdate();
         num = em.createNamedQuery("deleteUsersByRealmAndLink")
                 .setParameter("realmId", realm.getId())
                 .setParameter("link", link.getId())
@@ -212,6 +224,8 @@ public class JpaUserProvider implements UserProvider {
         em.createNamedQuery("deleteUserConsentProtMappersByClient").setParameter("clientId", client.getId()).executeUpdate();
         em.createNamedQuery("deleteUserConsentRolesByClient").setParameter("clientId", client.getId()).executeUpdate();
         em.createNamedQuery("deleteUserConsentsByClient").setParameter("clientId", client.getId()).executeUpdate();
+        em.createNamedQuery("deleteOfflineClientSessionsByClient").setParameter("clientId", client.getId()).executeUpdate();
+        em.createNamedQuery("deleteDetachedOfflineUserSessions").executeUpdate();
     }
 
     @Override

model/jpa/src/main/java/org/keycloak/models/jpa/UserAdapter.java

@@ -2,6 +2,8 @@ package org.keycloak.models.jpa;
 
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.OTPPolicy;
+import org.keycloak.models.OfflineClientSessionModel;
+import org.keycloak.models.OfflineUserSessionModel;
 import org.keycloak.models.ProtocolMapperModel;
 import org.keycloak.models.UserConsentModel;
 import org.keycloak.models.ModelDuplicateException;
@@ -14,6 +16,8 @@ import org.keycloak.models.UserCredentialModel;
 import org.keycloak.models.UserCredentialValueModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.jpa.entities.CredentialEntity;
+import org.keycloak.models.jpa.entities.OfflineClientSessionEntity;
+import org.keycloak.models.jpa.entities.OfflineUserSessionEntity;
 import org.keycloak.models.jpa.entities.UserConsentEntity;
 import org.keycloak.models.jpa.entities.UserConsentProtocolMapperEntity;
 import org.keycloak.models.jpa.entities.UserConsentRoleEntity;
@@ -37,6 +41,7 @@ import java.util.Collection;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Iterator;
+import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -750,6 +755,124 @@ public class UserAdapter implements UserModel {
         em.flush();
     }
 
+    @Override
+    public void addOfflineUserSession(OfflineUserSessionModel offlineSession) {
+        OfflineUserSessionEntity entity = new OfflineUserSessionEntity();
+        entity.setUser(user);
+        entity.setUserSessionId(offlineSession.getUserSessionId());
+        entity.setData(offlineSession.getData());
+        em.persist(entity);
+        user.getOfflineUserSessions().add(entity);
+        em.flush();
+    }
+
+    @Override
+    public OfflineUserSessionModel getOfflineUserSession(String userSessionId) {
+        for (OfflineUserSessionEntity entity : user.getOfflineUserSessions()) {
+            if (entity.getUserSessionId().equals(userSessionId)) {
+                return toModel(entity);
+            }
+        }
+        return null;
+    }
+
+    private OfflineUserSessionModel toModel(OfflineUserSessionEntity entity) {
+        OfflineUserSessionModel model = new OfflineUserSessionModel();
+        model.setUserSessionId(entity.getUserSessionId());
+        model.setData(entity.getData());
+        return model;
+    }
+
+    @Override
+    public Collection<OfflineUserSessionModel> getOfflineUserSessions() {
+        List<OfflineUserSessionModel> result = new LinkedList<>();
+        for (OfflineUserSessionEntity entity : user.getOfflineUserSessions()) {
+            result.add(toModel(entity));
+        }
+        return result;
+    }
+
+    @Override
+    public boolean removeOfflineUserSession(String userSessionId) {
+        OfflineUserSessionEntity found = null;
+        for (OfflineUserSessionEntity session : user.getOfflineUserSessions()) {
+            if (session.getUserSessionId().equals(userSessionId)) {
+                found = session;
+                break;
+            }
+        }
+
+        if (found == null) {
+            return false;
+        } else {
+            user.getOfflineUserSessions().remove(found);
+            em.remove(found);
+            em.flush();
+            return true;
+        }
+    }
+
+    @Override
+    public void addOfflineClientSession(OfflineClientSessionModel clientSession) {
+        OfflineClientSessionEntity entity = new OfflineClientSessionEntity();
+        entity.setUser(user);
+        entity.setClientSessionId(clientSession.getClientSessionId());
+        entity.setUserSessionId(clientSession.getUserSessionId());
+        entity.setClientId(clientSession.getClientId());
+        entity.setData(clientSession.getData());
+        em.persist(entity);
+        user.getOfflineClientSessions().add(entity);
+        em.flush();
+    }
+
+    @Override
+    public OfflineClientSessionModel getOfflineClientSession(String clientSessionId) {
+        for (OfflineClientSessionEntity entity : user.getOfflineClientSessions()) {
+            if (entity.getClientSessionId().equals(clientSessionId)) {
+                return toModel(entity);
+            }
+        }
+        return null;
+    }
+
+    private OfflineClientSessionModel toModel(OfflineClientSessionEntity entity) {
+        OfflineClientSessionModel model = new OfflineClientSessionModel();
+        model.setClientSessionId(entity.getClientSessionId());
+        model.setClientId(entity.getClientId());
+        model.setUserSessionId(entity.getUserSessionId());
+        model.setData(entity.getData());
+        return model;
+    }
+
+    @Override
+    public Collection<OfflineClientSessionModel> getOfflineClientSessions() {
+        List<OfflineClientSessionModel> result = new LinkedList<>();
+        for (OfflineClientSessionEntity entity : user.getOfflineClientSessions()) {
+            result.add(toModel(entity));
+        }
+        return result;
+    }
+
+    @Override
+    public boolean removeOfflineClientSession(String clientSessionId) {
+        OfflineClientSessionEntity found = null;
+        for (OfflineClientSessionEntity session : user.getOfflineClientSessions()) {
+            if (session.getClientSessionId().equals(clientSessionId)) {
+                found = session;
+                break;
+            }
+        }
+
+        if (found == null) {
+            return false;
+        } else {
+            user.getOfflineClientSessions().remove(found);
+            em.remove(found);
+            em.flush();
+            return true;
+        }
+    }
+
     @Override
     public boolean equals(Object o) {
         if (this == o) return true;

model/jpa/src/main/java/org/keycloak/models/jpa/entities/ClientEntity.java

@@ -100,6 +100,9 @@ public class ClientEntity {
     @Column(name="SERVICE_ACCOUNTS_ENABLED")
     private boolean serviceAccountsEnabled;
 
+    @Column(name="OFFLINE_TOKENS_ENABLED")
+    private boolean offlineTokensEnabled;
+
     @Column(name="NODE_REREG_TIMEOUT")
     private int nodeReRegistrationTimeout;
 
@@ -316,6 +319,14 @@ public class ClientEntity {
         this.serviceAccountsEnabled = serviceAccountsEnabled;
     }
 
+    public boolean isOfflineTokensEnabled() {
+        return offlineTokensEnabled;
+    }
+
+    public void setOfflineTokensEnabled(boolean offlineTokensEnabled) {
+        this.offlineTokensEnabled = offlineTokensEnabled;
+    }
+
     public boolean isDirectGrantsOnly() {
         return directGrantsOnly;
     }

model/jpa/src/main/java/org/keycloak/models/jpa/entities/OfflineClientSessionEntity.java

@@ -0,0 +1,81 @@
+package org.keycloak.models.jpa.entities;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.FetchType;
+import javax.persistence.Id;
+import javax.persistence.JoinColumn;
+import javax.persistence.ManyToOne;
+import javax.persistence.NamedQueries;
+import javax.persistence.NamedQuery;
+import javax.persistence.Table;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+@NamedQueries({
+        @NamedQuery(name="deleteOfflineClientSessionsByRealm", query="delete from OfflineClientSessionEntity sess where sess.user IN (select u from UserEntity u where u.realmId=:realmId)"),
+        @NamedQuery(name="deleteOfflineClientSessionsByRealmAndLink", query="delete from OfflineClientSessionEntity sess where sess.user IN (select u from UserEntity u where u.realmId=:realmId and u.federationLink=:link)"),
+        @NamedQuery(name="deleteOfflineClientSessionsByClient", query="delete from OfflineClientSessionEntity sess where sess.clientId=:clientId")
+})
+@Table(name="OFFLINE_CLIENT_SESSION")
+@Entity
+public class OfflineClientSessionEntity {
+
+    @Id
+    @Column(name="CLIENT_SESSION_ID", length = 36)
+    protected String clientSessionId;
+
+    @Column(name="USER_SESSION_ID", length = 36)
+    protected String userSessionId;
+
+    @Column(name="CLIENT_ID", length = 36)
+    protected String clientId;
+
+    @ManyToOne(fetch = FetchType.LAZY)
+    @JoinColumn(name="USER_ID")
+    protected UserEntity user;
+
+    @Column(name="DATA")
+    protected String data;
+
+    public String getClientSessionId() {
+        return clientSessionId;
+    }
+
+    public void setClientSessionId(String clientSessionId) {
+        this.clientSessionId = clientSessionId;
+    }
+
+    public String getUserSessionId() {
+        return userSessionId;
+    }
+
+    public void setUserSessionId(String userSessionId) {
+        this.userSessionId = userSessionId;
+    }
+
+    public String getClientId() {
+        return clientId;
+    }
+
+    public void setClientId(String clientId) {
+        this.clientId = clientId;
+    }
+
+    public UserEntity getUser() {
+        return user;
+    }
+
+    public void setUser(UserEntity user) {
+        this.user = user;
+    }
+
+    public String getData() {
+        return data;
+    }
+
+    public void setData(String data) {
+        this.data = data;
+    }
+}

model/jpa/src/main/java/org/keycloak/models/jpa/entities/OfflineUserSessionEntity.java

@@ -0,0 +1,59 @@
+package org.keycloak.models.jpa.entities;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.FetchType;
+import javax.persistence.Id;
+import javax.persistence.JoinColumn;
+import javax.persistence.ManyToOne;
+import javax.persistence.NamedQueries;
+import javax.persistence.NamedQuery;
+import javax.persistence.Table;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+@NamedQueries({
+        @NamedQuery(name="deleteOfflineUserSessionsByRealm", query="delete from OfflineUserSessionEntity sess where sess.user IN (select u from UserEntity u where u.realmId=:realmId)"),
+        @NamedQuery(name="deleteOfflineUserSessionsByRealmAndLink", query="delete from OfflineUserSessionEntity sess where sess.user IN (select u from UserEntity u where u.realmId=:realmId and u.federationLink=:link)"),
+        @NamedQuery(name="deleteDetachedOfflineUserSessions", query="delete from OfflineUserSessionEntity sess where sess.userSessionId NOT IN (select c.userSessionId from OfflineClientSessionEntity c)")
+})
+@Table(name="OFFLINE_USER_SESSION")
+@Entity
+public class OfflineUserSessionEntity {
+
+    @Id
+    @Column(name="USER_SESSION_ID", length = 36)
+    protected String userSessionId;
+
+    @ManyToOne(fetch = FetchType.LAZY)
+    @JoinColumn(name="USER_ID")
+    protected UserEntity user;
+
+    @Column(name="DATA")
+    protected String data;
+
+    public String getUserSessionId() {
+        return userSessionId;
+    }
+
+    public void setUserSessionId(String userSessionId) {
+        this.userSessionId = userSessionId;
+    }
+
+    public UserEntity getUser() {
+        return user;
+    }
+
+    public void setUser(UserEntity user) {
+        this.user = user;
+    }
+
+    public String getData() {
+        return data;
+    }
+
+    public void setData(String data) {
+        this.data = data;
+    }
+}

model/jpa/src/main/java/org/keycloak/models/jpa/entities/UserEntity.java

@@ -3,9 +3,13 @@ package org.keycloak.models.jpa.entities;
 import org.keycloak.models.utils.KeycloakModelUtils;
 
 import javax.persistence.CascadeType;
+import javax.persistence.CollectionTable;
 import javax.persistence.Column;
+import javax.persistence.ElementCollection;
 import javax.persistence.Entity;
 import javax.persistence.Id;
+import javax.persistence.JoinColumn;
+import javax.persistence.MapKeyColumn;
 import javax.persistence.NamedQueries;
 import javax.persistence.NamedQuery;
 import javax.persistence.OneToMany;
@@ -14,6 +18,8 @@ import javax.persistence.UniqueConstraint;
 
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.HashMap;
+import java.util.Map;
 
 /**
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
@@ -83,6 +89,12 @@ public class UserEntity {
     @Column(name="SERVICE_ACCOUNT_CLIENT_LINK")
     protected String serviceAccountClientLink;
 
+    @OneToMany(cascade = CascadeType.REMOVE, orphanRemoval = true, mappedBy="user")
+    protected Collection<OfflineUserSessionEntity> offlineUserSessions = new ArrayList<>();
+
+    @OneToMany(cascade = CascadeType.REMOVE, orphanRemoval = true, mappedBy="user")
+    protected Collection<OfflineClientSessionEntity> offlineClientSessions = new ArrayList<>();
+
     public String getId() {
         return id;
     }
@@ -212,6 +224,22 @@ public class UserEntity {
         this.serviceAccountClientLink = serviceAccountClientLink;
     }
 
+    public Collection<OfflineUserSessionEntity> getOfflineUserSessions() {
+        return offlineUserSessions;
+    }
+
+    public void setOfflineUserSessions(Collection<OfflineUserSessionEntity> offlineUserSessions) {
+        this.offlineUserSessions = offlineUserSessions;
+    }
+
+    public Collection<OfflineClientSessionEntity> getOfflineClientSessions() {
+        return offlineClientSessions;
+    }
+
+    public void setOfflineClientSessions(Collection<OfflineClientSessionEntity> offlineClientSessions) {
+        this.offlineClientSessions = offlineClientSessions;
+    }
+
     @Override
     public boolean equals(Object o) {
         if (this == o) return true;

model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/ClientAdapter.java

@@ -483,6 +483,17 @@ public class ClientAdapter extends AbstractMongoAdapter<MongoClientEntity> imple
         updateMongoEntity();
     }
 
+    @Override
+    public boolean isOfflineTokensEnabled() {
+        return getMongoEntity().isOfflineTokensEnabled();
+    }
+
+    @Override
+    public void setOfflineTokensEnabled(boolean offlineTokensEnabled) {
+        getMongoEntity().setOfflineTokensEnabled(offlineTokensEnabled);
+        updateMongoEntity();
+    }
+
     @Override
     public boolean isDirectGrantsOnly() {
         return getMongoEntity().isDirectGrantsOnly();

model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/MongoUserProvider.java

@@ -19,6 +19,8 @@ import org.keycloak.models.UserFederationProviderModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.UserProvider;
 import org.keycloak.models.entities.FederatedIdentityEntity;
+import org.keycloak.models.entities.OfflineClientSessionEntity;
+import org.keycloak.models.entities.OfflineUserSessionEntity;
 import org.keycloak.models.mongo.keycloak.entities.MongoUserConsentEntity;
 import org.keycloak.models.mongo.keycloak.entities.MongoUserEntity;
 import org.keycloak.models.utils.CredentialValidation;
@@ -399,6 +401,36 @@ public class MongoUserProvider implements UserProvider {
                 .and("clientId").is(client.getId())
                 .get();
         getMongoStore().removeEntities(MongoUserConsentEntity.class, query, false, invocationContext);
+
+        // Remove all offlineClientSessions
+        query = new QueryBuilder()
+                .and("offlineUserSessions.offlineClientSessions.clientId").is(client.getId())
+                .get();
+        List<MongoUserEntity> users = getMongoStore().loadEntities(MongoUserEntity.class, query, invocationContext);
+        for (MongoUserEntity user : users) {
+            boolean anyRemoved = false;
+            for (OfflineUserSessionEntity userSession : user.getOfflineUserSessions()) {
+                for (OfflineClientSessionEntity clientSession : userSession.getOfflineClientSessions()) {
+                    if (clientSession.getClientId().equals(client.getId())) {
+                        userSession.getOfflineClientSessions().remove(clientSession);
+                        anyRemoved = true;
+                        break;
+                    }
+                }
+
+                // Check if it was last clientSession. Then remove userSession too
+                if (userSession.getOfflineClientSessions().size() == 0) {
+                    user.getOfflineUserSessions().remove(userSession);
+                    anyRemoved = true;
+                    break;
+                }
+            }
+
+            if (anyRemoved) {
+                getMongoStore().updateEntity(user, invocationContext);
+            }
+
+        }
     }
 
     @Override

model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/UserAdapter.java

@@ -8,6 +8,8 @@ import com.mongodb.QueryBuilder;
 import org.keycloak.connections.mongo.api.context.MongoStoreInvocationContext;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.OTPPolicy;
+import org.keycloak.models.OfflineClientSessionModel;
+import org.keycloak.models.OfflineUserSessionModel;
 import org.keycloak.models.ProtocolMapperModel;
 import org.keycloak.models.UserConsentModel;
 import org.keycloak.models.KeycloakSession;
@@ -20,6 +22,8 @@ import org.keycloak.models.UserCredentialModel;
 import org.keycloak.models.UserCredentialValueModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.entities.CredentialEntity;
+import org.keycloak.models.entities.OfflineClientSessionEntity;
+import org.keycloak.models.entities.OfflineUserSessionEntity;
 import org.keycloak.models.entities.UserConsentEntity;
 import org.keycloak.models.mongo.keycloak.entities.MongoUserConsentEntity;
 import org.keycloak.models.mongo.keycloak.entities.MongoUserEntity;
@@ -30,6 +34,7 @@ import org.keycloak.models.utils.Pbkdf2PasswordEncoder;
 import org.keycloak.util.Time;
 
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.Comparator;
 import java.util.HashMap;
@@ -627,6 +632,145 @@ public class UserAdapter extends AbstractMongoAdapter<MongoUserEntity> implement
         return getMongoStore().removeEntity(entity, invocationContext);
     }
 
+    @Override
+    public void addOfflineUserSession(OfflineUserSessionModel userSession) {
+        if (user.getOfflineUserSessions() == null) {
+            user.setOfflineUserSessions(new ArrayList<OfflineUserSessionEntity>());
+        }
+
+        if (getUserSessionEntityById(userSession.getUserSessionId()) != null) {
+            throw new ModelDuplicateException("User session already exists with id " + userSession.getUserSessionId() + " for user " + getMongoEntity().getUsername());
+        }
+
+        OfflineUserSessionEntity entity = new OfflineUserSessionEntity();
+        entity.setUserSessionId(userSession.getUserSessionId());
+        entity.setData(userSession.getData());
+        entity.setOfflineClientSessions(new ArrayList<OfflineClientSessionEntity>());
+        user.getOfflineUserSessions().add(entity);
+        updateUser();
+    }
+
+    @Override
+    public OfflineUserSessionModel getOfflineUserSession(String userSessionId) {
+        OfflineUserSessionEntity entity = getUserSessionEntityById(userSessionId);
+        return entity==null ? null : toModel(entity);
+    }
+
+    @Override
+    public Collection<OfflineUserSessionModel> getOfflineUserSessions() {
+        if (user.getOfflineUserSessions()==null) {
+            return Collections.emptyList();
+        } else {
+            List<OfflineUserSessionModel> result = new ArrayList<>();
+            for (OfflineUserSessionEntity entity : user.getOfflineUserSessions()) {
+                result.add(toModel(entity));
+            }
+            return result;
+        }
+    }
+
+    private OfflineUserSessionModel toModel(OfflineUserSessionEntity entity) {
+        OfflineUserSessionModel model = new OfflineUserSessionModel();
+        model.setUserSessionId(entity.getUserSessionId());
+        model.setData(entity.getData());
+        return model;
+    }
+
+    @Override
+    public boolean removeOfflineUserSession(String userSessionId) {
+        OfflineUserSessionEntity entity = getUserSessionEntityById(userSessionId);
+        if (entity != null) {
+            user.getOfflineUserSessions().remove(entity);
+            updateUser();
+            return true;
+        } else {
+            return false;
+        }
+    }
+
+    private OfflineUserSessionEntity getUserSessionEntityById(String userSessionId) {
+        if (user.getOfflineUserSessions() != null) {
+            for (OfflineUserSessionEntity entity : user.getOfflineUserSessions()) {
+                if (entity.getUserSessionId().equals(userSessionId)) {
+                    return entity;
+                }
+            }
+        }
+        return null;
+    }
+
+    @Override
+    public void addOfflineClientSession(OfflineClientSessionModel clientSession) {
+        OfflineUserSessionEntity userSessionEntity = getUserSessionEntityById(clientSession.getUserSessionId());
+        if (userSessionEntity == null) {
+            throw new ModelException("OfflineUserSession with ID " + clientSession.getUserSessionId() + " doesn't exist for user " + getMongoEntity().getUsername());
+        }
+
+        OfflineClientSessionEntity clEntity = new OfflineClientSessionEntity();
+        clEntity.setClientSessionId(clientSession.getClientSessionId());
+        clEntity.setClientId(clientSession.getClientId());
+        clEntity.setData(clientSession.getData());
+
+        userSessionEntity.getOfflineClientSessions().add(clEntity);
+        updateUser();
+    }
+
+    @Override
+    public OfflineClientSessionModel getOfflineClientSession(String clientSessionId) {
+        if (user.getOfflineUserSessions() != null) {
+            for (OfflineUserSessionEntity userSession : user.getOfflineUserSessions()) {
+                for (OfflineClientSessionEntity clSession : userSession.getOfflineClientSessions()) {
+                    if (clSession.getClientSessionId().equals(clientSessionId)) {
+                        return toModel(clSession, userSession.getUserSessionId());
+                    }
+                }
+            }
+        }
+
+        return null;
+    }
+
+    private OfflineClientSessionModel toModel(OfflineClientSessionEntity cls, String userSessionId) {
+        OfflineClientSessionModel model = new OfflineClientSessionModel();
+        model.setClientSessionId(cls.getClientSessionId());
+        model.setClientId(cls.getClientId());
+        model.setData(cls.getData());
+        model.setUserSessionId(userSessionId);
+        return model;
+    }
+
+    @Override
+    public Collection<OfflineClientSessionModel> getOfflineClientSessions() {
+        List<OfflineClientSessionModel> result = new ArrayList<>();
+
+        if (user.getOfflineUserSessions() != null) {
+            for (OfflineUserSessionEntity userSession : user.getOfflineUserSessions()) {
+                for (OfflineClientSessionEntity clSession : userSession.getOfflineClientSessions()) {
+                    result.add(toModel(clSession, userSession.getUserSessionId()));
+                }
+            }
+        }
+
+        return result;
+    }
+
+    @Override
+    public boolean removeOfflineClientSession(String clientSessionId) {
+        if (user.getOfflineUserSessions() != null) {
+            for (OfflineUserSessionEntity userSession : user.getOfflineUserSessions()) {
+                for (OfflineClientSessionEntity clSession : userSession.getOfflineClientSessions()) {
+                    if (clSession.getClientSessionId().equals(clientSessionId)) {
+                        userSession.getOfflineClientSessions().remove(clSession);
+                        updateUser();
+                        return true;
+                    }
+                }
+            }
+        }
+
+        return false;
+    }
+
     @Override
     public boolean equals(Object o) {
         if (this == o) return true;

model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java

@@ -14,6 +14,7 @@ import java.util.Collections;
 import java.util.HashMap;
 import java.util.LinkedList;
 import java.util.List;
+import java.util.Map;
 
 /**
  * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
@@ -109,6 +110,11 @@ public class UserSessionAdapter implements UserSessionModel {
         }
     }
 
+    @Override
+    public Map<String, String> getNotes() {
+        return entity.getNotes();
+    }
+
     @Override
     public State getState() {
         return entity.getState();

model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/compat/UserSessionAdapter.java

@@ -10,6 +10,7 @@ import org.keycloak.models.sessions.infinispan.compat.entities.UserSessionEntity
 
 import java.util.LinkedList;
 import java.util.List;
+import java.util.Map;
 
 /**
  * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
@@ -144,5 +145,8 @@ public class UserSessionAdapter implements UserSessionModel {
 
     }
 
-
+    @Override
+    public Map<String, String> getNotes() {
+        return entity.getNotes();
+    }
 }

services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.java

@@ -27,7 +27,7 @@ import org.keycloak.services.Urls;
 
 /**
  * Client authentication based on JWT signed by client private key .
- * See <a href="https://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-03">specs</a> for more details.
+ * See <a href="https://tools.ietf.org/html/rfc7519">specs</a> for more details.
  *
  * This is server side, which verifies JWT from client_assertion parameter, where the assertion was created on adapter side by
  * org.keycloak.adapters.authentication.JWTClientCredentialsProvider

services/src/main/java/org/keycloak/authentication/requiredactions/UpdateProfile.java

@@ -52,7 +52,7 @@ public class UpdateProfile implements RequiredActionProvider, RequiredActionFact
         RealmModel realm = context.getRealm();
 
 
-        List<FormMessage> errors = Validation.validateUpdateProfileForm(formData);
+        List<FormMessage> errors = Validation.validateUpdateProfileForm(realm, formData);
         if (errors != null && !errors.isEmpty()) {
             Response challenge = context.form()
                     .setErrors(errors)
@@ -62,6 +62,28 @@ public class UpdateProfile implements RequiredActionProvider, RequiredActionFact
             return;
         }
 
+        if (realm.isEditUsernameAllowed()) {
+            String username = formData.getFirst("username");
+            String oldUsername = user.getUsername();
+
+            boolean usernameChanged = oldUsername != null ? !oldUsername.equals(username) : username != null;
+
+            if (usernameChanged) {
+
+                if (session.users().getUserByUsername(username, realm) != null) {
+                    Response challenge = context.form()
+                            .setError(Messages.USERNAME_EXISTS)
+                            .setFormData(formData)
+                            .createResponse(UserModel.RequiredAction.UPDATE_PROFILE);
+                    context.challenge(challenge);
+                    return;
+                }
+
+                user.setUsername(username);
+            }
+
+        }
+
         user.setFirstName(formData.getFirst("firstName"));
         user.setLastName(formData.getFirst("lastName"));
 

services/src/main/java/org/keycloak/protocol/oidc/OIDCWellKnownProvider.java

@@ -20,7 +20,7 @@ public class OIDCWellKnownProvider implements WellKnownProvider {
 
     public static final List<String> DEFAULT_ID_TOKEN_SIGNING_ALG_VALUES_SUPPORTED = list("RS256");
 
-    public static final List<String> DEFAULT_GRANT_TYPES_SUPPORTED = list(OAuth2Constants.AUTHORIZATION_CODE, OAuth2Constants.REFRESH_TOKEN, OAuth2Constants.PASSWORD);
+    public static final List<String> DEFAULT_GRANT_TYPES_SUPPORTED = list(OAuth2Constants.AUTHORIZATION_CODE, OAuth2Constants.REFRESH_TOKEN, OAuth2Constants.PASSWORD, OAuth2Constants.CLIENT_CREDENTIALS);
 
     public static final List<String> DEFAULT_RESPONSE_TYPES_SUPPORTED = list(OAuth2Constants.CODE);
 

services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java

@@ -3,8 +3,8 @@ package org.keycloak.protocol.oidc;
 import org.jboss.logging.Logger;
 import org.keycloak.ClientConnection;
 import org.keycloak.OAuthErrorException;
-import org.keycloak.authentication.AuthenticationProcessor;
 import org.keycloak.events.Details;
+import org.keycloak.events.Errors;
 import org.keycloak.events.EventBuilder;
 import org.keycloak.jose.jws.JWSBuilder;
 import org.keycloak.jose.jws.JWSInput;
@@ -27,11 +27,15 @@ import org.keycloak.representations.AccessToken;
 import org.keycloak.representations.AccessTokenResponse;
 import org.keycloak.representations.IDToken;
 import org.keycloak.representations.RefreshToken;
+import org.keycloak.services.ErrorResponseException;
 import org.keycloak.services.managers.AuthenticationManager;
 import org.keycloak.services.managers.ClientSessionCode;
+import org.keycloak.services.offline.OfflineUserSessionManager;
+import org.keycloak.util.RefreshTokenUtil;
 import org.keycloak.util.Time;
 
 import javax.ws.rs.core.HttpHeaders;
+import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriInfo;
 import java.io.IOException;
 import java.util.HashSet;
@@ -85,16 +89,31 @@ public class TokenManager {
             throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "User disabled", "User disabled");
         }
 
-        UserSessionModel userSession = session.sessions().getUserSession(realm, oldToken.getSessionState());
+        UserSessionModel userSession = null;
-        if (!AuthenticationManager.isSessionValid(realm, userSession)) {
-            AuthenticationManager.backchannelLogout(session, realm, userSession, uriInfo, connection, headers, true);
-            throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Session not active", "Session not active");
-        }
         ClientSessionModel clientSession = null;
-        for (ClientSessionModel clientSessionModel : userSession.getClientSessions()) {
+        if (RefreshTokenUtil.TOKEN_TYPE_OFFLINE.equals(oldToken.getType())) {
-            if (clientSessionModel.getId().equals(oldToken.getClientSession())) {
+            // Check if offline tokens still allowed for the client
-                clientSession = clientSessionModel;
+            clientSession = new OfflineUserSessionManager().findOfflineClientSession(realm, user, oldToken.getClientSession(), oldToken.getSessionState());
-                break;
+            if (clientSession != null) {
+                if (!clientSession.getClient().isOfflineTokensEnabled()) {
+                    throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Offline tokens not allowed for client", "Offline tokens not allowed for client");
+                }
+
+                userSession = clientSession.getUserSession();
+            }
+        } else {
+            // Find userSession regularly for online tokens
+            userSession = session.sessions().getUserSession(realm, oldToken.getSessionState());
+            if (!AuthenticationManager.isSessionValid(realm, userSession)) {
+                AuthenticationManager.backchannelLogout(session, realm, userSession, uriInfo, connection, headers, true);
+                throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Session not active", "Session not active");
+            }
+
+            for (ClientSessionModel clientSessionModel : userSession.getClientSessions()) {
+                if (clientSessionModel.getId().equals(oldToken.getClientSession())) {
+                    clientSession = clientSessionModel;
+                    break;
+                }
             }
         }
 
@@ -126,10 +145,12 @@ public class TokenManager {
 
     }
 
-    public AccessTokenResponse refreshAccessToken(KeycloakSession session, UriInfo uriInfo, ClientConnection connection, RealmModel realm, ClientModel authorizedClient, String encodedRefreshToken, EventBuilder event, HttpHeaders headers) throws OAuthErrorException {
+    public RefreshResult refreshAccessToken(KeycloakSession session, UriInfo uriInfo, ClientConnection connection, RealmModel realm, ClientModel authorizedClient, String encodedRefreshToken, EventBuilder event, HttpHeaders headers) throws OAuthErrorException {
         RefreshToken refreshToken = verifyRefreshToken(realm, encodedRefreshToken);
 
-        event.user(refreshToken.getSubject()).session(refreshToken.getSessionState()).detail(Details.REFRESH_TOKEN_ID, refreshToken.getId());
+        event.user(refreshToken.getSubject()).session(refreshToken.getSessionState())
+                .detail(Details.REFRESH_TOKEN_ID, refreshToken.getId())
+                .detail(Details.REFRESH_TOKEN_TYPE, refreshToken.getType());
 
         TokenValidation validation = validateToken(session, uriInfo, connection, realm, refreshToken, headers);
         // validate authorizedClient is same as validated client
@@ -140,11 +161,17 @@ public class TokenManager {
         int currentTime = Time.currentTime();
         validation.userSession.setLastSessionRefresh(currentTime);
 
-        AccessTokenResponse res = responseBuilder(realm, authorizedClient, event, session, validation.userSession, validation.clientSession)
+        AccessTokenResponseBuilder responseBuilder = responseBuilder(realm, authorizedClient, event, session, validation.userSession, validation.clientSession)
                 .accessToken(validation.newToken)
-                .generateIDToken()
+                .generateIDToken();
-                .generateRefreshToken().build();
+
-        return res;
+        // Don't generate refresh token again if refresh was triggered with offline token
+        if (!refreshToken.getType().equals(RefreshTokenUtil.TOKEN_TYPE_OFFLINE)) {
+            responseBuilder.generateRefreshToken();
+        }
+
+        AccessTokenResponse res = responseBuilder.build();
+        return new RefreshResult(res, RefreshTokenUtil.TOKEN_TYPE_OFFLINE.equals(refreshToken.getType()));
     }
 
     public RefreshToken verifyRefreshToken(RealmModel realm, String encodedRefreshToken) throws OAuthErrorException {
@@ -158,7 +185,7 @@ public class TokenManager {
         } catch (Exception e) {
             throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Invalid refresh token", e);
         }
-        if (refreshToken.isExpired()) {
+        if (refreshToken.getExpiration() != 0 && refreshToken.isExpired()) {
             throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Refresh token expired");
         }
 
@@ -172,18 +199,18 @@ public class TokenManager {
         IDToken idToken = null;
         try {
             if (!RSAProvider.verify(jws, realm.getPublicKey())) {
-                throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Invalid refresh token");
+                throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Invalid IDToken");
             }
             idToken = jws.readJsonContent(IDToken.class);
         } catch (IOException e) {
-            throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Invalid refresh token", e);
+            throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Invalid IDToken", e);
         }
         if (idToken.isExpired()) {
-            throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Refresh token expired");
+            throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "IDToken expired");
         }
 
         if (idToken.getIssuedAt() < realm.getNotBefore()) {
-            throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale refresh token");
+            throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale IDToken");
         }
         return idToken;
     }
@@ -250,9 +277,7 @@ public class TokenManager {
         if (client.isFullScopeAllowed()) return roleMappings;
 
         Set<RoleModel> scopeMappings = client.getScopeMappings();
-        if (client instanceof ClientModel) {
+        scopeMappings.addAll(client.getRoles());
-            scopeMappings.addAll(((ClientModel) client).getRoles());
-        }
 
         for (RoleModel role : roleMappings) {
             for (RoleModel desiredRole : scopeMappings) {
@@ -409,7 +434,9 @@ public class TokenManager {
             return this;
         }
 
-        public AccessTokenResponseBuilder generateAccessToken(KeycloakSession session, String scopeParam, ClientModel client, UserModel user, UserSessionModel userSession, ClientSessionModel clientSession) {
+        public AccessTokenResponseBuilder generateAccessToken() {
+            UserModel user = userSession.getUser();
+            String scopeParam = clientSession.getNote(OIDCLoginProtocol.SCOPE_PARAM);
             Set<RoleModel> requestedRoles = getAccess(scopeParam, client, user);
             accessToken = createClientAccessToken(session, requestedRoles, realm, client, user, userSession, clientSession);
             return this;
@@ -419,10 +446,24 @@ public class TokenManager {
             if (accessToken == null) {
                 throw new IllegalStateException("accessToken not set");
             }
-            refreshToken = new RefreshToken(accessToken);
+
+            String scopeParam = clientSession.getNote(OIDCLoginProtocol.SCOPE_PARAM);
+            boolean offlineTokenRequested = RefreshTokenUtil.isOfflineTokenRequested(scopeParam);
+            if (offlineTokenRequested) {
+                if (!clientSession.getClient().isOfflineTokensEnabled()) {
+                    event.error(Errors.INVALID_CLIENT);
+                    throw new ErrorResponseException("invalid_client", "Offline tokens not allowed for the client", Response.Status.BAD_REQUEST);
+                }
+
+                refreshToken = new RefreshToken(accessToken);
+                refreshToken.type(RefreshTokenUtil.TOKEN_TYPE_OFFLINE);
+                new OfflineUserSessionManager().persistOfflineSession(clientSession, userSession);
+            } else {
+                refreshToken = new RefreshToken(accessToken);
+                refreshToken.expiration(Time.currentTime() + realm.getSsoSessionIdleTimeout());
+            }
             refreshToken.id(KeycloakModelUtils.generateId());
             refreshToken.issuedNow();
-            refreshToken.expiration(Time.currentTime() + realm.getSsoSessionIdleTimeout());
             return this;
         }
 
@@ -459,6 +500,7 @@ public class TokenManager {
                 } else {
                     event.detail(Details.REFRESH_TOKEN_ID, refreshToken.getId());
                 }
+                event.detail(Details.REFRESH_TOKEN_TYPE, refreshToken.getType());
             }
 
             AccessTokenResponse res = new AccessTokenResponse();
@@ -489,4 +531,23 @@ public class TokenManager {
         }
     }
 
+    public class RefreshResult {
+
+        private final AccessTokenResponse response;
+        private final boolean offlineToken;
+
+        private RefreshResult(AccessTokenResponse response, boolean offlineToken) {
+            this.response = response;
+            this.offlineToken = offlineToken;
+        }
+
+        public AccessTokenResponse getResponse() {
+            return response;
+        }
+
+        public boolean isOfflineToken() {
+            return offlineToken;
+        }
+    }
+
 }

services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java

@@ -262,11 +262,14 @@ public class TokenEndpoint {
 
         AccessTokenResponse res;
         try {
-            res = tokenManager.refreshAccessToken(session, uriInfo, clientConnection, realm, client, refreshToken, event, headers);
+            TokenManager.RefreshResult result = tokenManager.refreshAccessToken(session, uriInfo, clientConnection, realm, client, refreshToken, event, headers);
+            res = result.getResponse();
 
-            UserSessionModel userSession = session.sessions().getUserSession(realm, res.getSessionState());
+            if (!result.isOfflineToken()) {
-            updateClientSessions(userSession.getClientSessions());
+                UserSessionModel userSession = session.sessions().getUserSession(realm, res.getSessionState());
-            updateUserSessionFromClientAuth(userSession);
+                updateClientSessions(userSession.getClientSessions());
+                updateUserSessionFromClientAuth(userSession);
+            }
 
         } catch (OAuthErrorException e) {
             event.error(Errors.INVALID_TOKEN);
@@ -337,6 +340,8 @@ public class TokenEndpoint {
         clientSession.setAuthMethod(OIDCLoginProtocol.LOGIN_PROTOCOL);
         clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name());
         clientSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName()));
+        clientSession.setNote(OIDCLoginProtocol.SCOPE_PARAM, scope);
+
         AuthenticationFlowModel flow = realm.getDirectGrantFlow();
         String flowId = flow.getId();
         AuthenticationProcessor processor = new AuthenticationProcessor();
@@ -363,7 +368,7 @@ public class TokenEndpoint {
         updateUserSessionFromClientAuth(userSession);
 
         AccessTokenResponse res = tokenManager.responseBuilder(realm, client, event, session, userSession, clientSession)
-                .generateAccessToken(session, scope, client, user, userSession, clientSession)
+                .generateAccessToken()
                 .generateRefreshToken()
                 .generateIDToken()
                 .build();
@@ -415,6 +420,7 @@ public class TokenEndpoint {
         ClientSessionModel clientSession = sessions.createClientSession(realm, client);
         clientSession.setAuthMethod(OIDCLoginProtocol.LOGIN_PROTOCOL);
         clientSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName()));
+        clientSession.setNote(OIDCLoginProtocol.SCOPE_PARAM, scope);
 
         UserSessionModel userSession = sessions.createUserSession(realm, clientUser, clientUsername, clientConnection.getRemoteAddr(), ServiceAccountConstants.CLIENT_AUTH, false, null, null);
         event.session(userSession);
@@ -429,7 +435,7 @@ public class TokenEndpoint {
         updateUserSessionFromClientAuth(userSession);
 
         AccessTokenResponse res = tokenManager.responseBuilder(realm, client, event, session, userSession, clientSession)
-                .generateAccessToken(session, scope, client, clientUser, userSession, clientSession)
+                .generateAccessToken()
                 .generateRefreshToken()
                 .generateIDToken()
                 .build();

services/src/main/java/org/keycloak/services/managers/HttpAuthenticationChallenge.java

@@ -1,11 +0,0 @@
-package org.keycloak.services.managers;
-
-import org.keycloak.login.LoginFormsProvider;
-
-/**
- * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
- */
-public interface HttpAuthenticationChallenge {
-
-    void addChallenge(LoginFormsProvider loginFormsProvider);
-}

services/src/main/java/org/keycloak/services/offline/OfflineClientSessionAdapter.java

@@ -0,0 +1,289 @@
+package org.keycloak.services.offline;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+import org.codehaus.jackson.annotate.JsonProperty;
+import org.keycloak.models.ClientModel;
+import org.keycloak.models.ClientSessionModel;
+import org.keycloak.models.ModelException;
+import org.keycloak.models.OfflineClientSessionModel;
+import org.keycloak.models.OfflineUserSessionModel;
+import org.keycloak.models.RealmModel;
+import org.keycloak.models.UserModel;
+import org.keycloak.models.UserSessionModel;
+import org.keycloak.util.JsonSerialization;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class OfflineClientSessionAdapter implements ClientSessionModel {
+
+    private final OfflineClientSessionModel model;
+    private final RealmModel realm;
+    private final ClientModel client;
+    private final OfflineUserSessionAdapter userSession;
+
+    private OfflineClientSessionData data;
+
+    public OfflineClientSessionAdapter(OfflineClientSessionModel model, RealmModel realm, ClientModel client, OfflineUserSessionAdapter userSession) {
+        this.model = model;
+        this.realm = realm;
+        this.client = client;
+        this.userSession = userSession;
+    }
+
+    // lazily init representation
+    private OfflineClientSessionData getData() {
+        if (data == null) {
+            try {
+                data = JsonSerialization.readValue(model.getData(), OfflineClientSessionData.class);
+            } catch (IOException ioe) {
+                throw new ModelException(ioe);
+            }
+        }
+
+        return data;
+    }
+
+    @Override
+    public String getId() {
+        return model.getClientSessionId();
+    }
+
+    @Override
+    public RealmModel getRealm() {
+        return realm;
+    }
+
+    @Override
+    public ClientModel getClient() {
+        return client;
+    }
+
+    @Override
+    public UserSessionModel getUserSession() {
+        return userSession;
+    }
+
+    @Override
+    public void setUserSession(UserSessionModel userSession) {
+        throw new IllegalStateException("Not supported setUserSession");
+    }
+
+    @Override
+    public String getRedirectUri() {
+        return data.getRedirectUri();
+    }
+
+    @Override
+    public void setRedirectUri(String uri) {
+        throw new IllegalStateException("Not supported setRedirectUri");
+    }
+
+    @Override
+    public int getTimestamp() {
+        return 0;
+    }
+
+    @Override
+    public void setTimestamp(int timestamp) {
+        throw new IllegalStateException("Not supported setTimestamp");
+    }
+
+    @Override
+    public String getAction() {
+        return null;
+    }
+
+    @Override
+    public void setAction(String action) {
+        throw new IllegalStateException("Not supported setAction");
+    }
+
+    @Override
+    public Set<String> getRoles() {
+        return getData().getRoles();
+    }
+
+    @Override
+    public void setRoles(Set<String> roles) {
+        throw new IllegalStateException("Not supported setRoles");
+    }
+
+    @Override
+    public Set<String> getProtocolMappers() {
+        return getData().getProtocolMappers();
+    }
+
+    @Override
+    public void setProtocolMappers(Set<String> protocolMappers) {
+        throw new IllegalStateException("Not supported setProtocolMappers");
+    }
+
+    @Override
+    public Map<String, ExecutionStatus> getExecutionStatus() {
+        return getData().getAuthenticatorStatus();
+    }
+
+    @Override
+    public void setExecutionStatus(String authenticator, ExecutionStatus status) {
+        throw new IllegalStateException("Not supported setExecutionStatus");
+    }
+
+    @Override
+    public void clearExecutionStatus() {
+        throw new IllegalStateException("Not supported clearExecutionStatus");
+    }
+
+    @Override
+    public UserModel getAuthenticatedUser() {
+        return userSession.getUser();
+    }
+
+    @Override
+    public void setAuthenticatedUser(UserModel user) {
+        throw new IllegalStateException("Not supported setAuthenticatedUser");
+    }
+
+    @Override
+    public String getAuthMethod() {
+        return getData().getAuthMethod();
+    }
+
+    @Override
+    public void setAuthMethod(String method) {
+        throw new IllegalStateException("Not supported setAuthMethod");
+    }
+
+    @Override
+    public String getNote(String name) {
+        return getData().getNotes()==null ? null : getData().getNotes().get(name);
+    }
+
+    @Override
+    public void setNote(String name, String value) {
+        throw new IllegalStateException("Not supported setNote");
+    }
+
+    @Override
+    public void removeNote(String name) {
+        throw new IllegalStateException("Not supported removeNote");
+    }
+
+    @Override
+    public Map<String, String> getNotes() {
+        return getData().getNotes();
+    }
+
+    @Override
+    public Set<String> getRequiredActions() {
+        throw new IllegalStateException("Not supported getRequiredActions");
+    }
+
+    @Override
+    public void addRequiredAction(String action) {
+        throw new IllegalStateException("Not supported addRequiredAction");
+    }
+
+    @Override
+    public void removeRequiredAction(String action) {
+        throw new IllegalStateException("Not supported removeRequiredAction");
+    }
+
+    @Override
+    public void addRequiredAction(UserModel.RequiredAction action) {
+        throw new IllegalStateException("Not supported addRequiredAction");
+    }
+
+    @Override
+    public void removeRequiredAction(UserModel.RequiredAction action) {
+        throw new IllegalStateException("Not supported removeRequiredAction");
+    }
+
+    @Override
+    public void setUserSessionNote(String name, String value) {
+        throw new IllegalStateException("Not supported setUserSessionNote");
+    }
+
+    @Override
+    public Map<String, String> getUserSessionNotes() {
+        throw new IllegalStateException("Not supported getUserSessionNotes");
+    }
+
+    @Override
+    public void clearUserSessionNotes() {
+        throw new IllegalStateException("Not supported clearUserSessionNotes");
+    }
+
+    protected static class OfflineClientSessionData {
+
+        @JsonProperty("authMethod")
+        private String authMethod;
+
+        @JsonProperty("redirectUri")
+        private String redirectUri;
+
+        @JsonProperty("protocolMappers")
+        private Set<String> protocolMappers;
+
+        @JsonProperty("roles")
+        private Set<String> roles;
+
+        @JsonProperty("notes")
+        private Map<String, String> notes;
+
+        @JsonProperty("authenticatorStatus")
+        private Map<String, ClientSessionModel.ExecutionStatus> authenticatorStatus = new HashMap<>();
+
+        public String getAuthMethod() {
+            return authMethod;
+        }
+
+        public void setAuthMethod(String authMethod) {
+            this.authMethod = authMethod;
+        }
+
+        public String getRedirectUri() {
+            return redirectUri;
+        }
+
+        public void setRedirectUri(String redirectUri) {
+            this.redirectUri = redirectUri;
+        }
+
+        public Set<String> getProtocolMappers() {
+            return protocolMappers;
+        }
+
+        public void setProtocolMappers(Set<String> protocolMappers) {
+            this.protocolMappers = protocolMappers;
+        }
+
+        public Set<String> getRoles() {
+            return roles;
+        }
+
+        public void setRoles(Set<String> roles) {
+            this.roles = roles;
+        }
+
+        public Map<String, String> getNotes() {
+            return notes;
+        }
+
+        public void setNotes(Map<String, String> notes) {
+            this.notes = notes;
+        }
+
+        public Map<String, ClientSessionModel.ExecutionStatus> getAuthenticatorStatus() {
+            return authenticatorStatus;
+        }
+
+        public void setAuthenticatorStatus(Map<String, ClientSessionModel.ExecutionStatus> authenticatorStatus) {
+            this.authenticatorStatus = authenticatorStatus;
+        }
+    }
+}

services/src/main/java/org/keycloak/services/offline/OfflineUserSessionAdapter.java

@@ -0,0 +1,215 @@
+package org.keycloak.services.offline;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.Map;
+
+import org.codehaus.jackson.annotate.JsonProperty;
+import org.keycloak.models.ClientSessionModel;
+import org.keycloak.models.ModelException;
+import org.keycloak.models.OfflineUserSessionModel;
+import org.keycloak.models.UserModel;
+import org.keycloak.models.UserSessionModel;
+import org.keycloak.util.JsonSerialization;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class OfflineUserSessionAdapter implements UserSessionModel {
+
+    private final OfflineUserSessionModel model;
+    private final UserModel user;
+
+    private OfflineUserSessionData data;
+
+    public OfflineUserSessionAdapter(OfflineUserSessionModel model, UserModel user) {
+        this.model = model;
+        this.user = user;
+    }
+
+    // lazily init representation
+    private OfflineUserSessionData getData() {
+        if (data == null) {
+            try {
+                data = JsonSerialization.readValue(model.getData(), OfflineUserSessionData.class);
+            } catch (IOException ioe) {
+                throw new ModelException(ioe);
+            }
+        }
+
+        return data;
+    }
+
+    @Override
+    public String getId() {
+        return model.getUserSessionId();
+    }
+
+    @Override
+    public String getBrokerSessionId() {
+        return getData().getBrokerSessionId();
+    }
+
+    @Override
+    public String getBrokerUserId() {
+        return getData().getBrokerUserId();
+    }
+
+    @Override
+    public UserModel getUser() {
+        return user;
+    }
+
+    @Override
+    public String getLoginUsername() {
+        return user.getUsername();
+    }
+
+    @Override
+    public String getIpAddress() {
+        return getData().getIpAddress();
+    }
+
+    @Override
+    public String getAuthMethod() {
+        return getData().getAuthMethod();
+    }
+
+    @Override
+    public boolean isRememberMe() {
+        return getData().isRememberMe();
+    }
+
+    @Override
+    public int getStarted() {
+        return getData().getStarted();
+    }
+
+    @Override
+    public int getLastSessionRefresh() {
+        return 0;
+    }
+
+    @Override
+    public void setLastSessionRefresh(int seconds) {
+        // Ignore
+    }
+
+    @Override
+    public List<ClientSessionModel> getClientSessions() {
+        throw new IllegalStateException("Not yet supported");
+    }
+
+    @Override
+    public String getNote(String name) {
+        return getData().getNotes()==null ? null : getData().getNotes().get(name);
+    }
+
+    @Override
+    public void setNote(String name, String value) {
+        throw new IllegalStateException("Illegal to set note offline session");
+
+    }
+
+    @Override
+    public void removeNote(String name) {
+        throw new IllegalStateException("Illegal to remove note from offline session");
+    }
+
+    @Override
+    public Map<String, String> getNotes() {
+        return getData().getNotes();
+    }
+
+    @Override
+    public State getState() {
+        return null;
+    }
+
+    @Override
+    public void setState(State state) {
+        throw new IllegalStateException("Illegal to set state on offline session");
+    }
+
+
+    protected static class OfflineUserSessionData {
+
+        @JsonProperty("brokerSessionId")
+        private String brokerSessionId;
+
+        @JsonProperty("brokerUserId")
+        private String brokerUserId;
+
+        @JsonProperty("ipAddress")
+        private String ipAddress;
+
+        @JsonProperty("authMethod")
+        private String authMethod;
+
+        @JsonProperty("rememberMe")
+        private boolean rememberMe;
+
+        @JsonProperty("started")
+        private int started;
+
+        @JsonProperty("notes")
+        private Map<String, String> notes;
+
+        public String getBrokerSessionId() {
+            return brokerSessionId;
+        }
+
+        public void setBrokerSessionId(String brokerSessionId) {
+            this.brokerSessionId = brokerSessionId;
+        }
+
+        public String getBrokerUserId() {
+            return brokerUserId;
+        }
+
+        public void setBrokerUserId(String brokerUserId) {
+            this.brokerUserId = brokerUserId;
+        }
+
+        public String getIpAddress() {
+            return ipAddress;
+        }
+
+        public void setIpAddress(String ipAddress) {
+            this.ipAddress = ipAddress;
+        }
+
+        public String getAuthMethod() {
+            return authMethod;
+        }
+
+        public void setAuthMethod(String authMethod) {
+            this.authMethod = authMethod;
+        }
+
+        public boolean isRememberMe() {
+            return rememberMe;
+        }
+
+        public void setRememberMe(boolean rememberMe) {
+            this.rememberMe = rememberMe;
+        }
+
+        public int getStarted() {
+            return started;
+        }
+
+        public void setStarted(int started) {
+            this.started = started;
+        }
+
+        public Map<String, String> getNotes() {
+            return notes;
+        }
+
+        public void setNotes(Map<String, String> notes) {
+            this.notes = notes;
+        }
+
+    }
+}

services/src/main/java/org/keycloak/services/offline/OfflineUserSessionManager.java

@@ -0,0 +1,182 @@
+package org.keycloak.services.offline;
+
+import java.io.IOException;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import org.jboss.logging.Logger;
+import org.keycloak.models.ClientModel;
+import org.keycloak.models.ClientSessionModel;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.ModelException;
+import org.keycloak.models.OfflineClientSessionModel;
+import org.keycloak.models.OfflineUserSessionModel;
+import org.keycloak.models.RealmModel;
+import org.keycloak.models.UserModel;
+import org.keycloak.models.UserSessionModel;
+import org.keycloak.util.JsonSerialization;
+
+/**
+ * TODO: Change to utils?
+ *
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class OfflineUserSessionManager {
+
+    protected static Logger logger = Logger.getLogger(OfflineUserSessionManager.class);
+
+    public void persistOfflineSession(ClientSessionModel clientSession, UserSessionModel userSession) {
+        UserModel user = userSession.getUser();
+        ClientModel client = clientSession.getClient();
+
+        // First verify if we already have offlineToken for this user+client . If yes, then invalidate it (This is to avoid leaks)
+        Collection<OfflineClientSessionModel> clientSessions = user.getOfflineClientSessions();
+        for (OfflineClientSessionModel existing : clientSessions) {
+            if (existing.getClientId().equals(client.getId())) {
+                if (logger.isTraceEnabled()) {
+                    logger.tracef("Removing existing offline token for user '%s' and client '%s' . ClientSessionID was '%s' . Offline token will be replaced with new one",
+                            user.getUsername(), client.getClientId(), existing.getClientSessionId());
+                }
+
+                user.removeOfflineClientSession(existing.getClientSessionId());
+
+                // Check if userSession is ours. If not, then check if it has other clientSessions and remove it otherwise
+                if (!existing.getUserSessionId().equals(userSession.getId())) {
+                    checkUserSessionHasClientSessions(user, existing.getUserSessionId());
+                }
+            }
+        }
+
+        // Verify if we already have UserSession with this ID. If yes, don't create another one
+        OfflineUserSessionModel userSessionRep = user.getOfflineUserSession(userSession.getId());
+        if (userSessionRep == null) {
+            createOfflineUserSession(user, userSession);
+        }
+
+        // Create clientRep and save to DB.
+        createOfflineClientSession(user, clientSession, userSession);
+    }
+
+    // userSessionId is provided from offline token. It's used just to verify if it match the ID from clientSession representation
+    public ClientSessionModel findOfflineClientSession(RealmModel realm, UserModel user, String clientSessionId, String userSessionId) {
+        OfflineClientSessionModel clientSession = user.getOfflineClientSession(clientSessionId);
+        if (clientSession == null) {
+            return null;
+        }
+
+        if (!userSessionId.equals(clientSession.getUserSessionId())) {
+            throw new ModelException("User session don't match. Offline client session " + clientSession.getClientSessionId() + ", It's user session " + clientSession.getUserSessionId() +
+                    "  Wanted user session: " + userSessionId);
+        }
+
+        OfflineUserSessionModel userSession = user.getOfflineUserSession(userSessionId);
+        if (userSession == null) {
+            throw new ModelException("Found clientSession " + clientSessionId + " but not userSession " + userSessionId);
+        }
+
+        OfflineUserSessionAdapter userSessionAdapter = new OfflineUserSessionAdapter(userSession, user);
+
+        ClientModel client = realm.getClientById(clientSession.getClientId());
+        OfflineClientSessionAdapter clientSessionAdapter = new OfflineClientSessionAdapter(clientSession, realm, client, userSessionAdapter);
+
+        return clientSessionAdapter;
+    }
+
+    public Set<ClientModel> findClientsWithOfflineToken(RealmModel realm, UserModel user) {
+        Collection<OfflineClientSessionModel> clientSessions = user.getOfflineClientSessions();
+        Set<ClientModel> clients = new HashSet<>();
+        for (OfflineClientSessionModel clientSession : clientSessions) {
+            ClientModel client = realm.getClientById(clientSession.getClientId());
+            clients.add(client);
+        }
+        return clients;
+    }
+
+    public boolean revokeOfflineToken(UserModel user, ClientModel client) {
+        Collection<OfflineClientSessionModel> clientSessions = user.getOfflineClientSessions();
+        boolean anyRemoved = false;
+        for (OfflineClientSessionModel clientSession : clientSessions) {
+            if (clientSession.getClientId().equals(client.getId())) {
+                if (logger.isTraceEnabled()) {
+                    logger.tracef("Removing existing offline token for user '%s' and client '%s' . ClientSessionID was '%s' .",
+                            user.getUsername(), client.getClientId(), clientSession.getClientSessionId());
+                }
+
+                user.removeOfflineClientSession(clientSession.getClientSessionId());
+                checkUserSessionHasClientSessions(user, clientSession.getUserSessionId());
+                anyRemoved = true;
+            }
+        }
+
+        return anyRemoved;
+    }
+
+    private void createOfflineUserSession(UserModel user, UserSessionModel userSession) {
+        if (logger.isTraceEnabled()) {
+            logger.tracef("Creating new offline user session. UserSessionID: '%s' , Username: '%s'", userSession.getId(), user.getUsername());
+        }
+        OfflineUserSessionAdapter.OfflineUserSessionData rep = new OfflineUserSessionAdapter.OfflineUserSessionData();
+        rep.setBrokerUserId(userSession.getBrokerUserId());
+        rep.setBrokerSessionId(userSession.getBrokerSessionId());
+        rep.setIpAddress(userSession.getIpAddress());
+        rep.setAuthMethod(userSession.getAuthMethod());
+        rep.setRememberMe(userSession.isRememberMe());
+        rep.setStarted(userSession.getStarted());
+        rep.setNotes(userSession.getNotes());
+
+        try {
+            String stringRep = JsonSerialization.writeValueAsString(rep);
+            OfflineUserSessionModel sessionModel = new OfflineUserSessionModel();
+            sessionModel.setUserSessionId(userSession.getId());
+            sessionModel.setData(stringRep);
+            user.addOfflineUserSession(sessionModel);
+        } catch (IOException ioe) {
+            throw new ModelException(ioe);
+        }
+    }
+
+    private void createOfflineClientSession(UserModel user, ClientSessionModel clientSession, UserSessionModel userSession) {
+        if (logger.isTraceEnabled()) {
+            logger.tracef("Creating new offline token client session. ClientSessionId: '%s', UserSessionID: '%s' , Username: '%s', Client: '%s'" ,
+                    clientSession.getId(), userSession.getId(), user.getUsername(), clientSession.getClient().getClientId());
+        }
+        OfflineClientSessionAdapter.OfflineClientSessionData rep = new OfflineClientSessionAdapter.OfflineClientSessionData();
+        rep.setAuthMethod(clientSession.getAuthMethod());
+        rep.setRedirectUri(clientSession.getRedirectUri());
+        rep.setProtocolMappers(clientSession.getProtocolMappers());
+        rep.setRoles(clientSession.getRoles());
+        rep.setNotes(clientSession.getNotes());
+        rep.setAuthenticatorStatus(clientSession.getExecutionStatus());
+
+        try {
+            String stringRep = JsonSerialization.writeValueAsString(rep);
+            OfflineClientSessionModel clsModel = new OfflineClientSessionModel();
+            clsModel.setClientSessionId(clientSession.getId());
+            clsModel.setClientId(clientSession.getClient().getId());
+            clsModel.setUserSessionId(userSession.getId());
+            clsModel.setData(stringRep);
+            user.addOfflineClientSession(clsModel);
+        } catch (IOException ioe) {
+            throw new ModelException(ioe);
+        }
+    }
+
+    // Check if userSession has any offline clientSessions attached to it. Remove userSession if not
+    private void checkUserSessionHasClientSessions(UserModel user, String userSessionId) {
+        Collection<OfflineClientSessionModel> clientSessions = user.getOfflineClientSessions();
+
+        for (OfflineClientSessionModel clientSession : clientSessions) {
+            if (clientSession.getUserSessionId().equals(userSessionId)) {
+                return;
+            }
+        }
+
+        if (logger.isTraceEnabled()) {
+            logger.tracef("Removing offline userSession for user %s as it doesn't have any client sessions attached. UserSessionID: %s", user.getUsername(), userSessionId);
+        }
+        user.removeOfflineUserSession(userSessionId);
+    }
+}

services/src/main/java/org/keycloak/services/resources/AccountService.java

@@ -58,6 +58,7 @@ import org.keycloak.services.managers.Auth;
 import org.keycloak.services.managers.AuthenticationManager;
 import org.keycloak.services.managers.ClientSessionCode;
 import org.keycloak.services.messages.Messages;
+import org.keycloak.services.offline.OfflineUserSessionManager;
 import org.keycloak.services.util.ResolveRelative;
 import org.keycloak.services.validation.Validation;
 import org.keycloak.util.UriUtils;
@@ -486,6 +487,7 @@ public class AccountService extends AbstractSecuredLocalService {
         // Revoke grant in UserModel
         UserModel user = auth.getUser();
         user.revokeConsentForClient(client.getId());
+        new OfflineUserSessionManager().revokeOfflineToken(user, client);
 
         // Logout clientSessions for this user and client
         AuthenticationManager.backchannelUserFromClient(session, realm, user, client, uriInfo, headers);

testsuite/integration/src/test/java/org/keycloak/testsuite/AssertEvents.java

@@ -30,6 +30,7 @@ import org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint;
 import org.keycloak.representations.idm.UserRepresentation;
 import org.keycloak.services.managers.RealmManager;
 import org.keycloak.testsuite.rule.KeycloakRule;
+import org.keycloak.util.RefreshTokenUtil;
 
 import java.util.HashMap;
 import java.util.HashSet;
@@ -156,6 +157,7 @@ public class AssertEvents implements TestRule, EventListenerProviderFactory {
                 .detail(Details.CODE_ID, codeId)
                 .detail(Details.TOKEN_ID, isUUID())
                 .detail(Details.REFRESH_TOKEN_ID, isUUID())
+                .detail(Details.REFRESH_TOKEN_TYPE, RefreshTokenUtil.TOKEN_TYPE_REFRESH)
                 .detail(Details.CLIENT_AUTH_METHOD, ClientIdAndSecretAuthenticator.PROVIDER_ID)
                 .session(sessionId);
     }
@@ -164,6 +166,7 @@ public class AssertEvents implements TestRule, EventListenerProviderFactory {
         return expect(EventType.REFRESH_TOKEN)
                 .detail(Details.TOKEN_ID, isUUID())
                 .detail(Details.REFRESH_TOKEN_ID, refreshTokenId)
+                .detail(Details.REFRESH_TOKEN_TYPE, RefreshTokenUtil.TOKEN_TYPE_REFRESH)
                 .detail(Details.UPDATED_REFRESH_TOKEN_ID, isUUID())
                 .detail(Details.CLIENT_AUTH_METHOD, ClientIdAndSecretAuthenticator.PROVIDER_ID)
                 .session(sessionId);

testsuite/integration/src/test/java/org/keycloak/testsuite/OAuthClient.java

@@ -76,6 +76,8 @@ public class OAuthClient {
 
     private String state = "mystate";
 
+    private String scope;
+
     private String uiLocales = null;
 
     private PublicKey realmPublicKey;
@@ -192,6 +194,9 @@ public class OAuthClient {
             if (clientSessionHost != null) {
                 parameters.add(new BasicNameValuePair(AdapterConstants.CLIENT_SESSION_HOST, clientSessionHost));
             }
+            if (scope != null) {
+                parameters.add(new BasicNameValuePair(OAuth2Constants.SCOPE, scope));
+            }
 
             UrlEncodedFormEntity formEntity;
             try {
@@ -218,6 +223,10 @@ public class OAuthClient {
             List<NameValuePair> parameters = new LinkedList<NameValuePair>();
             parameters.add(new BasicNameValuePair(OAuth2Constants.GRANT_TYPE, OAuth2Constants.CLIENT_CREDENTIALS));
 
+            if (scope != null) {
+                parameters.add(new BasicNameValuePair(OAuth2Constants.SCOPE, scope));
+            }
+
             UrlEncodedFormEntity formEntity;
             try {
                 formEntity = new UrlEncodedFormEntity(parameters, "UTF-8");
@@ -390,6 +399,9 @@ public class OAuthClient {
         if(uiLocales != null){
             b.queryParam(LocaleHelper.UI_LOCALES_PARAM, uiLocales);
         }
+        if (scope != null) {
+            b.queryParam(OAuth2Constants.SCOPE, scope);
+        }
         return b.build(realm).toString();
     }
 
@@ -452,6 +464,11 @@ public class OAuthClient {
         return this;
     }
 
+    public OAuthClient scope(String scope) {
+        this.scope = scope;
+        return this;
+    }
+
     public OAuthClient uiLocales(String uiLocales){
         this.uiLocales = uiLocales;
         return this;

testsuite/integration/src/test/java/org/keycloak/testsuite/account/AccountTest.java

@@ -646,7 +646,7 @@ public class AccountTest {
         }
     }
 
-    // More tests (including revoke) are in OAuthGrantTest
+    // More tests (including revoke) are in OAuthGrantTest and OfflineTokenTest
     @Test
     public void applications() {
         applicationsPage.open();

testsuite/integration/src/test/java/org/keycloak/testsuite/actions/RequiredActionMultipleActionsTest.java

@@ -33,11 +33,8 @@ import org.keycloak.models.UserModel.RequiredAction;
 import org.keycloak.services.managers.RealmManager;
 import org.keycloak.testsuite.AssertEvents;
 import org.keycloak.testsuite.OAuthClient;
-import org.keycloak.testsuite.pages.AppPage;
+import org.keycloak.testsuite.pages.*;
 import org.keycloak.testsuite.pages.AppPage.RequestType;
-import org.keycloak.testsuite.pages.LoginPage;
-import org.keycloak.testsuite.pages.LoginPasswordUpdatePage;
-import org.keycloak.testsuite.pages.LoginUpdateProfilePage;
 import org.keycloak.testsuite.rule.KeycloakRule;
 import org.keycloak.testsuite.rule.KeycloakRule.KeycloakSetup;
 import org.keycloak.testsuite.rule.WebResource;
@@ -83,7 +80,7 @@ public class RequiredActionMultipleActionsTest {
     protected LoginPasswordUpdatePage changePasswordPage;
 
     @WebResource
-    protected LoginUpdateProfilePage updateProfilePage;
+    protected LoginUpdateProfileEditUsernameAllowedPage updateProfilePage;
 
     @Test
     public void updateProfileAndPassword() throws Exception {
@@ -121,7 +118,7 @@ public class RequiredActionMultipleActionsTest {
     }
 
     public String updateProfile(String sessionId) {
-        updateProfilePage.update("New first", "New last", "new@email.com");
+        updateProfilePage.update("New first", "New last", "new@email.com", "test-user@localhost");
 
         AssertEvents.ExpectedEvent expectedEvent = events.expectRequiredAction(EventType.UPDATE_EMAIL).detail(Details.PREVIOUS_EMAIL, "test-user@localhost").detail(Details.UPDATED_EMAIL, "new@email.com");
         if (sessionId != null) {

testsuite/integration/src/test/java/org/keycloak/testsuite/actions/RequiredActionUpdateProfileTest.java

@@ -21,11 +21,7 @@
  */
 package org.keycloak.testsuite.actions;
 
-import org.junit.Assert;
+import org.junit.*;
-import org.junit.Before;
-import org.junit.ClassRule;
-import org.junit.Rule;
-import org.junit.Test;
 import org.keycloak.events.Details;
 import org.keycloak.events.EventType;
 import org.keycloak.models.RealmModel;
@@ -36,7 +32,7 @@ import org.keycloak.testsuite.AssertEvents;
 import org.keycloak.testsuite.pages.AppPage;
 import org.keycloak.testsuite.pages.AppPage.RequestType;
 import org.keycloak.testsuite.pages.LoginPage;
-import org.keycloak.testsuite.pages.LoginUpdateProfilePage;
+import org.keycloak.testsuite.pages.LoginUpdateProfileEditUsernameAllowedPage;
 import org.keycloak.testsuite.rule.KeycloakRule;
 import org.keycloak.testsuite.rule.WebResource;
 import org.keycloak.testsuite.rule.WebRule;
@@ -66,7 +62,7 @@ public class RequiredActionUpdateProfileTest {
     protected LoginPage loginPage;
 
     @WebResource
-    protected LoginUpdateProfilePage updateProfilePage;
+    protected LoginUpdateProfileEditUsernameAllowedPage updateProfilePage;
 
     @Before
     public void before() {
@@ -75,6 +71,8 @@ public class RequiredActionUpdateProfileTest {
             public void config(RealmManager manager, RealmModel defaultRealm, RealmModel appRealm) {
                 UserModel user = manager.getSession().users().getUserByUsername("test-user@localhost", appRealm);
                 user.addRequiredAction(UserModel.RequiredAction.UPDATE_PROFILE);
+                UserModel anotherUser = manager.getSession().users().getUserByEmail("john-doh@localhost", appRealm);
+                anotherUser.addRequiredAction(UserModel.RequiredAction.UPDATE_PROFILE);
             }
         });
     }
@@ -87,7 +85,7 @@ public class RequiredActionUpdateProfileTest {
 
         updateProfilePage.assertCurrent();
 
-        updateProfilePage.update("New first", "New last", "new@email.com");
+        updateProfilePage.update("New first", "New last", "new@email.com", "test-user@localhost");
 
         String sessionId = events.expectRequiredAction(EventType.UPDATE_EMAIL).detail(Details.PREVIOUS_EMAIL, "test-user@localhost").detail(Details.UPDATED_EMAIL, "new@email.com").assertEvent().getSessionId();
         events.expectRequiredAction(EventType.UPDATE_PROFILE).session(sessionId).assertEvent();
@@ -101,6 +99,41 @@ public class RequiredActionUpdateProfileTest {
         Assert.assertEquals("New first", user.getFirstName());
         Assert.assertEquals("New last", user.getLastName());
         Assert.assertEquals("new@email.com", user.getEmail());
+        Assert.assertEquals("test-user@localhost", user.getUsername());
+    }
+
+    @Test
+    public void updateUsername() {
+        loginPage.open();
+
+        loginPage.login("john-doh@localhost", "password");
+
+        String userId = keycloakRule.getUser("test", "john-doh@localhost").getId();
+
+        updateProfilePage.assertCurrent();
+
+        updateProfilePage.update("New first", "New last", "john-doh@localhost", "new");
+
+        String sessionId = events
+                .expectLogin()
+                .event(EventType.UPDATE_PROFILE)
+                .detail(Details.USERNAME, "john-doh@localhost")
+                .user(userId)
+                .session(AssertEvents.isUUID())
+                .removeDetail(Details.CONSENT)
+                .assertEvent()
+                .getSessionId();
+
+        Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());
+
+        events.expectLogin().detail(Details.USERNAME, "john-doh@localhost").user(userId).session(sessionId).assertEvent();
+
+        // assert user is really updated in persistent store
+        UserRepresentation user = keycloakRule.getUser("test", "new");
+        Assert.assertEquals("New first", user.getFirstName());
+        Assert.assertEquals("New last", user.getLastName());
+        Assert.assertEquals("john-doh@localhost", user.getEmail());
+        Assert.assertEquals("new", user.getUsername());
     }
 
     @Test
@@ -111,7 +144,7 @@ public class RequiredActionUpdateProfileTest {
 
         updateProfilePage.assertCurrent();
 
-        updateProfilePage.update("", "New last", "new@email.com");
+        updateProfilePage.update("", "New last", "new@email.com", "new");
 
         updateProfilePage.assertCurrent();
 
@@ -133,7 +166,7 @@ public class RequiredActionUpdateProfileTest {
 
         updateProfilePage.assertCurrent();
 
-        updateProfilePage.update("New first", "", "new@email.com");
+        updateProfilePage.update("New first", "", "new@email.com", "new");
 
         updateProfilePage.assertCurrent();
 
@@ -155,7 +188,7 @@ public class RequiredActionUpdateProfileTest {
 
         updateProfilePage.assertCurrent();
 
-        updateProfilePage.update("New first", "New last", "");
+        updateProfilePage.update("New first", "New last", "", "new");
 
         updateProfilePage.assertCurrent();
 
@@ -177,7 +210,7 @@ public class RequiredActionUpdateProfileTest {
 
         updateProfilePage.assertCurrent();
 
-        updateProfilePage.update("New first", "New last", "invalidemail");
+        updateProfilePage.update("New first", "New last", "invalidemail", "invalid");
 
         updateProfilePage.assertCurrent();
 
@@ -191,6 +224,52 @@ public class RequiredActionUpdateProfileTest {
         events.assertEmpty();
     }
 
+    @Test
+    public void updateProfileMissingUsername() {
+        loginPage.open();
+
+        loginPage.login("john-doh@localhost", "password");
+
+        updateProfilePage.assertCurrent();
+
+        updateProfilePage.update("New first", "New last", "new@email.com", "");
+
+        updateProfilePage.assertCurrent();
+
+        // assert that form holds submitted values during validation error
+        Assert.assertEquals("New first", updateProfilePage.getFirstName());
+        Assert.assertEquals("New last", updateProfilePage.getLastName());
+        Assert.assertEquals("new@email.com", updateProfilePage.getEmail());
+        Assert.assertEquals("", updateProfilePage.getUsername());
+
+        Assert.assertEquals("Please specify username.", updateProfilePage.getError());
+
+        events.assertEmpty();
+    }
+
+    @Test
+    public void updateProfileDuplicateUsername() {
+        loginPage.open();
+
+        loginPage.login("john-doh@localhost", "password");
+
+        updateProfilePage.assertCurrent();
+
+        updateProfilePage.update("New first", "New last", "new@email.com", "test-user@localhost");
+
+        updateProfilePage.assertCurrent();
+
+        // assert that form holds submitted values during validation error
+        Assert.assertEquals("New first", updateProfilePage.getFirstName());
+        Assert.assertEquals("New last", updateProfilePage.getLastName());
+        Assert.assertEquals("new@email.com", updateProfilePage.getEmail());
+        Assert.assertEquals("test-user@localhost", updateProfilePage.getUsername());
+
+        Assert.assertEquals("Username already exists.", updateProfilePage.getError());
+
+        events.assertEmpty();
+    }
+
     @Test
     public void updateProfileDuplicatedEmail() {
         loginPage.open();
@@ -199,7 +278,7 @@ public class RequiredActionUpdateProfileTest {
 
         updateProfilePage.assertCurrent();
 
-        updateProfilePage.update("New first", "New last", "keycloak-user@localhost");
+        updateProfilePage.update("New first", "New last", "keycloak-user@localhost", "test-user@localhost");
 
         updateProfilePage.assertCurrent();
 

testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractIdentityProviderTest.java

@@ -17,7 +17,6 @@
  */
 package org.keycloak.testsuite.broker;
 
-import org.codehaus.jackson.map.ObjectMapper;
 import org.junit.After;
 import org.junit.Assert;
 import org.junit.Before;

testsuite/integration/src/test/java/org/keycloak/testsuite/federation/LDAPTestConfiguration.java

@@ -20,6 +20,7 @@ public class LDAPTestConfiguration {
     private static final Logger log = Logger.getLogger(LDAPTestConfiguration.class);
 
     private String connectionPropertiesLocation;
+    private int sleepTime;
     private boolean startEmbeddedLdapLerver = true;
     private Map<String, String> config;
 
@@ -109,6 +110,7 @@ public class LDAPTestConfiguration {
         }
 
         startEmbeddedLdapLerver = Boolean.parseBoolean(p.getProperty("idm.test.ldap.start.embedded.ldap.server", "true"));
+        sleepTime = Integer.parseInt(p.getProperty("idm.test.ldap.sleepTime", "1000"));
         log.info("Start embedded server: " + startEmbeddedLdapLerver);
         log.info("Read config: " + config);
     }
@@ -125,4 +127,8 @@ public class LDAPTestConfiguration {
         return startEmbeddedLdapLerver;
     }
 
+    public int getSleepTime() {
+        return sleepTime;
+    }
+
 }

testsuite/integration/src/test/java/org/keycloak/testsuite/federation/SyncProvidersTest.java

@@ -56,7 +56,6 @@ public class SyncProvidersTest {
             Map<String,String> ldapConfig = ldapRule.getConfig();
             ldapConfig.put(LDAPConstants.SYNC_REGISTRATIONS, "false");
             ldapConfig.put(LDAPConstants.EDIT_MODE, UserFederationProvider.EditMode.WRITABLE.toString());
-
             ldapModel = appRealm.addUserFederationProvider(LDAPFederationProviderFactory.PROVIDER_NAME, ldapConfig, 0, "test-ldap",
                     -1, -1, 0);
 
@@ -91,7 +90,7 @@ public class SyncProvidersTest {
         UsersSyncManager usersSyncManager = new UsersSyncManager();
 
         // wait a bit
-        sleep(1000);
+        sleep(ldapRule.getSleepTime());
 
         KeycloakSession session = keycloakRule.startSession();
         try {
@@ -125,7 +124,7 @@ public class SyncProvidersTest {
             }
 
             // wait a bit
-            sleep(1000);
+            sleep(ldapRule.getSleepTime());
 
             // Add user to LDAP and update 'user5' in LDAP
             LDAPFederationProvider ldapFedProvider = FederationTestUtils.getLdapProvider(session, ldapModel);
@@ -391,9 +390,9 @@ public class SyncProvidersTest {
     }
 
     private void assertSyncEquals(UserFederationSyncResult syncResult, int expectedAdded, int expectedUpdated, int expectedRemoved, int expectedFailed) {
-        Assert.assertEquals(syncResult.getAdded(), expectedAdded);
+        Assert.assertEquals(expectedAdded, syncResult.getAdded());
-        Assert.assertEquals(syncResult.getUpdated(), expectedUpdated);
+        Assert.assertEquals(expectedUpdated, syncResult.getUpdated());
-        Assert.assertEquals(syncResult.getRemoved(), expectedRemoved);
+        Assert.assertEquals(expectedRemoved, syncResult.getRemoved());
-        Assert.assertEquals(syncResult.getFailed(), expectedFailed);
+        Assert.assertEquals(expectedFailed, syncResult.getFailed());
     }
 }

testsuite/integration/src/test/java/org/keycloak/testsuite/model/CacheTest.java

@@ -1,6 +1,7 @@
 package org.keycloak.testsuite.model;
 
 import java.util.List;
+import java.util.Set;
 
 import org.junit.Assert;
 import org.junit.ClassRule;
@@ -89,4 +90,51 @@ public class CacheTest {
         }
     }
 
+    // KEYCLOAK-1842
+    @Test
+    public void testRoleMappingsInvalidatedWhenClientRemoved() {
+        KeycloakSession session = kc.startSession();
+        try {
+            RealmModel realm = session.realms().getRealmByName("test");
+            UserModel user = session.users().addUser(realm, "joel");
+            ClientModel client = realm.addClient("foo");
+            RoleModel fooRole = client.addRole("foo-role");
+            user.grantRole(fooRole);
+        } finally {
+            session.getTransaction().commit();
+            session.close();
+        }
+
+        // Remove client
+        session = kc.startSession();
+        int grantedRolesCount;
+        try {
+            RealmModel realm = session.realms().getRealmByName("test");
+            UserModel user = session.users().getUserByUsername("joel", realm);
+            grantedRolesCount = user.getRoleMappings().size();
+
+            ClientModel client = realm.getClientByClientId("foo");
+            realm.removeClient(client.getId());
+        } finally {
+            session.getTransaction().commit();
+            session.close();
+        }
+
+        // Assert role mappings was removed from user as well
+        session = kc.startSession();
+        try {
+            RealmModel realm = session.realms().getRealmByName("test");
+            UserModel user = session.users().getUserByUsername("joel", realm);
+            Set<RoleModel> roles = user.getRoleMappings();
+            for (RoleModel role : roles) {
+                Assert.assertNotNull(role.getContainer());
+            }
+
+            Assert.assertEquals(roles.size(), grantedRolesCount - 1);
+        } finally {
+            session.getTransaction().commit();
+            session.close();
+        }
+    }
+
 }

testsuite/integration/src/test/java/org/keycloak/testsuite/model/ImportTest.java

@@ -326,6 +326,8 @@ public class ImportTest extends AbstractModelTest {
         // Test service accounts
         Assert.assertFalse(application.isServiceAccountsEnabled());
         Assert.assertTrue(otherApp.isServiceAccountsEnabled());
+        Assert.assertFalse(application.isOfflineTokensEnabled());
+        Assert.assertTrue(otherApp.isOfflineTokensEnabled());
         Assert.assertNull(session.users().getUserByServiceAccountClient(application));
         UserModel linked = session.users().getUserByServiceAccountClient(otherApp);
         Assert.assertNotNull(linked);

testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserModelTest.java

@@ -4,6 +4,8 @@ import org.junit.Assert;
 import org.junit.Test;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.OfflineClientSessionModel;
+import org.keycloak.models.OfflineUserSessionModel;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.UserModel.RequiredAction;
@@ -283,6 +285,59 @@ public class UserModelTest extends AbstractModelTest {
         Assert.assertNull(session.users().getUserByUsername("user1", realm));
     }
 
+    @Test
+    public void testOfflineSessionsRemoved() {
+        RealmModel realm = realmManager.createRealm("original");
+        ClientModel fooClient = realm.addClient("foo");
+        ClientModel barClient = realm.addClient("bar");
+
+        UserModel user1 = session.users().addUser(realm, "user1");
+        addOfflineUserSession(user1, "123", "something1");
+        addOfflineClientSession(user1, "456", "123", fooClient.getId(), "something2");
+        addOfflineClientSession(user1, "789", "123", barClient.getId(), "something3");
+
+        commit();
+
+        realm = realmManager.getRealmByName("original");
+        realm.removeClient(barClient.getId());
+
+        commit();
+
+        realm = realmManager.getRealmByName("original");
+        user1 = session.users().getUserByUsername("user1", realm);
+        Assert.assertEquals("something1", user1.getOfflineUserSession("123").getData());
+        Assert.assertEquals("something2", user1.getOfflineClientSession("456").getData());
+        Assert.assertNull(user1.getOfflineClientSession("789"));
+
+        realm.removeClient(fooClient.getId());
+
+        commit();
+
+        realm = realmManager.getRealmByName("original");
+        user1 = session.users().getUserByUsername("user1", realm);
+        Assert.assertNull(user1.getOfflineClientSession("456"));
+        Assert.assertNull(user1.getOfflineClientSession("789"));
+        Assert.assertNull(user1.getOfflineUserSession("123"));
+        Assert.assertEquals(0, user1.getOfflineUserSessions().size());
+        Assert.assertEquals(0, user1.getOfflineClientSessions().size());
+    }
+
+    private void addOfflineUserSession(UserModel user, String userSessionId, String data) {
+        OfflineUserSessionModel model = new OfflineUserSessionModel();
+        model.setUserSessionId(userSessionId);
+        model.setData(data);
+        user.addOfflineUserSession(model);
+    }
+
+    private void addOfflineClientSession(UserModel user, String clientSessionId, String userSessionId, String clientId, String data) {
+        OfflineClientSessionModel model = new OfflineClientSessionModel();
+        model.setClientSessionId(clientSessionId);
+        model.setUserSessionId(userSessionId);
+        model.setClientId(clientId);
+        model.setData(data);
+        user.addOfflineClientSession(model);
+    }
+
     public static void assertEquals(UserModel expected, UserModel actual) {
         Assert.assertEquals(expected.getUsername(), actual.getUsername());
         Assert.assertEquals(expected.getCreatedTimestamp(), actual.getCreatedTimestamp());

testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java

@@ -180,7 +180,11 @@ public class AccessTokenTest {
         Assert.assertEquals("invalid_grant", response.getError());
         Assert.assertEquals("Incorrect redirect_uri", response.getErrorDescription());
 
-        events.expectCodeToToken(codeId, loginEvent.getSessionId()).error("invalid_code").removeDetail(Details.TOKEN_ID).removeDetail(Details.REFRESH_TOKEN_ID).assertEvent();
+        events.expectCodeToToken(codeId, loginEvent.getSessionId()).error("invalid_code")
+                .removeDetail(Details.TOKEN_ID)
+                .removeDetail(Details.REFRESH_TOKEN_ID)
+                .removeDetail(Details.REFRESH_TOKEN_TYPE)
+                .assertEvent();
     }
 
     @Test
@@ -201,7 +205,13 @@ public class AccessTokenTest {
         assertNull(tokenResponse.getAccessToken());
         assertNull(tokenResponse.getRefreshToken());
 
-        events.expectCodeToToken(codeId, sessionId).removeDetail(Details.TOKEN_ID).user((String) null).session((String) null).removeDetail(Details.REFRESH_TOKEN_ID).error(Errors.INVALID_CODE).assertEvent();
+        events.expectCodeToToken(codeId, sessionId)
+                .removeDetail(Details.TOKEN_ID)
+                .user((String) null)
+                .session((String) null)
+                .removeDetail(Details.REFRESH_TOKEN_ID)
+                .removeDetail(Details.REFRESH_TOKEN_TYPE)
+                .error(Errors.INVALID_CODE).assertEvent();
 
         events.clear();
     }
@@ -230,7 +240,11 @@ public class AccessTokenTest {
         Assert.assertEquals(400, response.getStatusCode());
 
         AssertEvents.ExpectedEvent expectedEvent = events.expectCodeToToken(codeId, null);
-        expectedEvent.error("invalid_code").removeDetail(Details.TOKEN_ID).removeDetail(Details.REFRESH_TOKEN_ID).user((String) null);
+        expectedEvent.error("invalid_code")
+                .removeDetail(Details.TOKEN_ID)
+                .removeDetail(Details.REFRESH_TOKEN_ID)
+                .removeDetail(Details.REFRESH_TOKEN_TYPE)
+                .user((String) null);
         expectedEvent.assertEvent();
 
         events.clear();
@@ -264,7 +278,11 @@ public class AccessTokenTest {
         Assert.assertEquals(400, response.getStatusCode());
 
         AssertEvents.ExpectedEvent expectedEvent = events.expectCodeToToken(codeId, null);
-        expectedEvent.error("invalid_code").removeDetail(Details.TOKEN_ID).removeDetail(Details.REFRESH_TOKEN_ID).user((String) null);
+        expectedEvent.error("invalid_code")
+                .removeDetail(Details.TOKEN_ID)
+                .removeDetail(Details.REFRESH_TOKEN_ID)
+                .removeDetail(Details.REFRESH_TOKEN_TYPE)
+                .user((String) null);
         expectedEvent.assertEvent();
 
         events.clear();

testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/OfflineTokenTest.java

@@ -0,0 +1,441 @@
+package org.keycloak.testsuite.oauth;
+
+import java.io.IOException;
+import java.net.URL;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.ws.rs.core.UriBuilder;
+
+import org.junit.Assert;
+import org.junit.ClassRule;
+import org.junit.Rule;
+import org.junit.Test;
+import org.keycloak.KeycloakSecurityContext;
+import org.keycloak.OAuth2Constants;
+import org.keycloak.adapters.RefreshableKeycloakSecurityContext;
+import org.keycloak.constants.ServiceAccountConstants;
+import org.keycloak.events.Details;
+import org.keycloak.events.Errors;
+import org.keycloak.events.Event;
+import org.keycloak.events.EventType;
+import org.keycloak.jose.jws.JWSInput;
+import org.keycloak.models.ClientModel;
+import org.keycloak.models.RealmModel;
+import org.keycloak.models.RoleModel;
+import org.keycloak.models.UserModel;
+import org.keycloak.representations.AccessToken;
+import org.keycloak.representations.RefreshToken;
+import org.keycloak.services.managers.ClientManager;
+import org.keycloak.services.managers.RealmManager;
+import org.keycloak.testsuite.AssertEvents;
+import org.keycloak.testsuite.OAuthClient;
+import org.keycloak.testsuite.pages.AccountApplicationsPage;
+import org.keycloak.testsuite.pages.LoginPage;
+import org.keycloak.testsuite.rule.KeycloakRule;
+import org.keycloak.testsuite.rule.WebResource;
+import org.keycloak.testsuite.rule.WebRule;
+import org.keycloak.util.JsonSerialization;
+import org.keycloak.util.RefreshTokenUtil;
+import org.keycloak.util.Time;
+import org.keycloak.util.UriUtils;
+import org.openqa.selenium.WebDriver;
+
+import static org.junit.Assert.assertEquals;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class OfflineTokenTest {
+
+    @ClassRule
+    public static KeycloakRule keycloakRule = new KeycloakRule(new KeycloakRule.KeycloakSetup() {
+
+        @Override
+        public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
+            // For testing
+            appRealm.setAccessTokenLifespan(10);
+            appRealm.setSsoSessionIdleTimeout(30);
+
+            ClientModel app = new ClientManager(manager).createClient(appRealm, "offline-client");
+            app.setSecret("secret1");
+            String testAppRedirectUri = appRealm.getClientByClientId("test-app").getRedirectUris().iterator().next();
+            offlineClientAppUri = UriUtils.getOrigin(testAppRedirectUri) + "/offline-client";
+            app.setRedirectUris(new HashSet<>(Arrays.asList(offlineClientAppUri)));
+            app.setManagementUrl(offlineClientAppUri);
+
+            new ClientManager(manager).enableServiceAccount(app);
+            UserModel serviceAccountUser = manager.getSession().users().getUserByUsername(ServiceAccountConstants.SERVICE_ACCOUNT_USER_PREFIX + "offline-client", appRealm);
+            RoleModel customerUserRole = appRealm.getClientByClientId("test-app").getRole("customer-user");
+            serviceAccountUser.grantRole(customerUserRole);
+
+            app.setOfflineTokensEnabled(true);
+            userId = manager.getSession().users().getUserByUsername("test-user@localhost", appRealm).getId();
+
+            URL url = getClass().getResource("/oidc/offline-client-keycloak.json");
+            keycloakRule.createApplicationDeployment()
+                    .name("offline-client").contextPath("/offline-client")
+                    .servletClass(OfflineTokenServlet.class).adapterConfigPath(url.getPath())
+                    .role("user").deployApplication();
+        }
+
+    });
+
+    private static String userId;
+    private static String offlineClientAppUri;
+
+    @Rule
+    public WebRule webRule = new WebRule(this);
+
+    @WebResource
+    protected WebDriver driver;
+
+    @WebResource
+    protected OAuthClient oauth;
+
+    @WebResource
+    protected LoginPage loginPage;
+
+    @WebResource
+    protected AccountApplicationsPage accountAppPage;
+
+    @Rule
+    public AssertEvents events = new AssertEvents(keycloakRule);
+
+
+//    @Test
+//    public void testSleep() throws Exception {
+//        Thread.sleep(9999000);
+//    }
+
+    @Test
+    public void offlineTokenDisabledForClient() throws Exception {
+        oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
+        oauth.doLogin("test-user@localhost", "password");
+
+        Event loginEvent = events.expectLogin().assertEvent();
+
+        String sessionId = loginEvent.getSessionId();
+        String codeId = loginEvent.getDetails().get(Details.CODE_ID);
+
+        String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
+
+        OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "password");
+
+        assertEquals(400, tokenResponse.getStatusCode());
+        assertEquals("invalid_client", tokenResponse.getError());
+
+        events.expectCodeToToken(codeId, sessionId)
+                .error("invalid_client")
+                .clearDetails()
+                .assertEvent();
+    }
+
+    @Test
+    public void offlineTokenBrowserFlow() throws Exception {
+        oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
+        oauth.clientId("offline-client");
+        oauth.redirectUri(offlineClientAppUri);
+        oauth.doLogin("test-user@localhost", "password");
+
+        Event loginEvent = events.expectLogin()
+                .client("offline-client")
+                .detail(Details.REDIRECT_URI, offlineClientAppUri)
+                .assertEvent();
+
+        final String sessionId = loginEvent.getSessionId();
+        String codeId = loginEvent.getDetails().get(Details.CODE_ID);
+
+        String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
+
+        OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "secret1");
+        AccessToken token = oauth.verifyToken(tokenResponse.getAccessToken());
+        String offlineTokenString = tokenResponse.getRefreshToken();
+        RefreshToken offlineToken = oauth.verifyRefreshToken(offlineTokenString);
+
+        events.expectCodeToToken(codeId, sessionId)
+                .client("offline-client")
+                .detail(Details.REFRESH_TOKEN_TYPE, RefreshTokenUtil.TOKEN_TYPE_OFFLINE)
+                .assertEvent();
+
+        Assert.assertEquals(RefreshTokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
+        Assert.assertEquals(0, offlineToken.getExpiration());
+
+        testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, sessionId, userId);
+    }
+
+    private void testRefreshWithOfflineToken(AccessToken oldToken, RefreshToken offlineToken, String offlineTokenString,
+                                             final String sessionId, String userId) {
+        // Change offset to big value to ensure userSession expired
+        Time.setOffset(99999);
+        Assert.assertFalse(oldToken.isActive());
+        Assert.assertTrue(offlineToken.isActive());
+
+        // Assert userSession expired
+        keycloakRule.update(new KeycloakRule.KeycloakSetup() {
+
+            @Override
+            public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
+                manager.getSession().sessions().removeExpiredUserSessions(appRealm);
+            }
+
+        });
+        keycloakRule.update(new KeycloakRule.KeycloakSetup() {
+
+            @Override
+            public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
+                Assert.assertNull(manager.getSession().sessions().getUserSession(appRealm, sessionId));
+            }
+
+        });
+
+
+        OAuthClient.AccessTokenResponse response = oauth.doRefreshTokenRequest(offlineTokenString, "secret1");
+        AccessToken refreshedToken = oauth.verifyToken(response.getAccessToken());
+        Assert.assertEquals(200, response.getStatusCode());
+        Assert.assertEquals(sessionId, refreshedToken.getSessionState());
+
+        // Assert no refreshToken in the response
+        Assert.assertNull(response.getRefreshToken());
+        Assert.assertNotEquals(oldToken.getId(), refreshedToken.getId());
+
+        Assert.assertEquals(userId, refreshedToken.getSubject());
+
+        Assert.assertEquals(1, refreshedToken.getRealmAccess().getRoles().size());
+        Assert.assertTrue(refreshedToken.getRealmAccess().isUserInRole("user"));
+
+        Assert.assertEquals(1, refreshedToken.getResourceAccess("test-app").getRoles().size());
+        Assert.assertTrue(refreshedToken.getResourceAccess("test-app").isUserInRole("customer-user"));
+
+        Event refreshEvent = events.expectRefresh(offlineToken.getId(), sessionId)
+                .client("offline-client")
+                .user(userId)
+                .removeDetail(Details.UPDATED_REFRESH_TOKEN_ID)
+                .detail(Details.REFRESH_TOKEN_TYPE, RefreshTokenUtil.TOKEN_TYPE_OFFLINE)
+                .assertEvent();
+        Assert.assertNotEquals(oldToken.getId(), refreshEvent.getDetails().get(Details.TOKEN_ID));
+
+        Time.setOffset(0);
+    }
+
+    @Test
+    public void offlineTokenDirectGrantFlow() throws Exception {
+        oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
+        oauth.clientId("offline-client");
+        OAuthClient.AccessTokenResponse tokenResponse = oauth.doGrantAccessTokenRequest("secret1", "test-user@localhost", "password");
+
+        AccessToken token = oauth.verifyToken(tokenResponse.getAccessToken());
+        String offlineTokenString = tokenResponse.getRefreshToken();
+        RefreshToken offlineToken = oauth.verifyRefreshToken(offlineTokenString);
+
+        events.expectLogin()
+                .client("offline-client")
+                .user(userId)
+                .session(token.getSessionState())
+                .detail(Details.RESPONSE_TYPE, "token")
+                .detail(Details.TOKEN_ID, token.getId())
+                .detail(Details.REFRESH_TOKEN_ID, offlineToken.getId())
+                .detail(Details.REFRESH_TOKEN_TYPE, RefreshTokenUtil.TOKEN_TYPE_OFFLINE)
+                .detail(Details.USERNAME, "test-user@localhost")
+                .removeDetail(Details.CODE_ID)
+                .removeDetail(Details.REDIRECT_URI)
+                .removeDetail(Details.CONSENT)
+                .assertEvent();
+
+        Assert.assertEquals(RefreshTokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
+        Assert.assertEquals(0, offlineToken.getExpiration());
+
+        testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), userId);
+    }
+
+    @Test
+    public void offlineTokenServiceAccountFlow() throws Exception {
+        oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
+        oauth.clientId("offline-client");
+        OAuthClient.AccessTokenResponse tokenResponse = oauth.doClientCredentialsGrantAccessTokenRequest("secret1");
+
+        AccessToken token = oauth.verifyToken(tokenResponse.getAccessToken());
+        String offlineTokenString = tokenResponse.getRefreshToken();
+        RefreshToken offlineToken = oauth.verifyRefreshToken(offlineTokenString);
+
+        String serviceAccountUserId = keycloakRule.getUser("test",  ServiceAccountConstants.SERVICE_ACCOUNT_USER_PREFIX + "offline-client").getId();
+
+        events.expectClientLogin()
+                .client("offline-client")
+                .user(serviceAccountUserId)
+                .session(token.getSessionState())
+                .detail(Details.TOKEN_ID, token.getId())
+                .detail(Details.REFRESH_TOKEN_ID, offlineToken.getId())
+                .detail(Details.REFRESH_TOKEN_TYPE, RefreshTokenUtil.TOKEN_TYPE_OFFLINE)
+                .detail(Details.USERNAME, ServiceAccountConstants.SERVICE_ACCOUNT_USER_PREFIX + "offline-client")
+                .assertEvent();
+
+        Assert.assertEquals(RefreshTokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
+        Assert.assertEquals(0, offlineToken.getExpiration());
+
+        testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), serviceAccountUserId);
+
+
+        // Now retrieve another offline token and verify that previous offline token is not valid anymore
+        tokenResponse = oauth.doClientCredentialsGrantAccessTokenRequest("secret1");
+
+        AccessToken token2 = oauth.verifyToken(tokenResponse.getAccessToken());
+        String offlineTokenString2 = tokenResponse.getRefreshToken();
+        RefreshToken offlineToken2 = oauth.verifyRefreshToken(offlineTokenString2);
+
+        events.expectClientLogin()
+                .client("offline-client")
+                .user(serviceAccountUserId)
+                .session(token2.getSessionState())
+                .detail(Details.TOKEN_ID, token2.getId())
+                .detail(Details.REFRESH_TOKEN_ID, offlineToken2.getId())
+                .detail(Details.REFRESH_TOKEN_TYPE, RefreshTokenUtil.TOKEN_TYPE_OFFLINE)
+                .detail(Details.USERNAME, ServiceAccountConstants.SERVICE_ACCOUNT_USER_PREFIX + "offline-client")
+                .assertEvent();
+
+        // Refresh with old offline token should fail
+        OAuthClient.AccessTokenResponse response = oauth.doRefreshTokenRequest(offlineTokenString, "secret1");
+        Assert.assertEquals(400, response.getStatusCode());
+        Assert.assertEquals("invalid_grant", response.getError());
+
+        events.expectRefresh(offlineToken.getId(), offlineToken.getSessionState())
+                .error(Errors.INVALID_TOKEN)
+                .client("offline-client")
+                .user(serviceAccountUserId)
+                .removeDetail(Details.UPDATED_REFRESH_TOKEN_ID)
+                .removeDetail(Details.TOKEN_ID)
+                .detail(Details.REFRESH_TOKEN_TYPE, RefreshTokenUtil.TOKEN_TYPE_OFFLINE)
+                .assertEvent();
+
+        // Refresh with new offline token is ok
+        testRefreshWithOfflineToken(token2, offlineToken2, offlineTokenString2, token2.getSessionState(), serviceAccountUserId);
+    }
+
+    @Test
+    public void testServlet() {
+        OfflineTokenServlet.tokenInfo = null;
+
+        String servletUri = UriBuilder.fromUri(offlineClientAppUri)
+                .queryParam(OAuth2Constants.SCOPE, OAuth2Constants.OFFLINE_ACCESS)
+                .build().toString();
+        driver.navigate().to(servletUri);
+        loginPage.login("test-user@localhost", "password");
+        Assert.assertTrue(driver.getCurrentUrl().startsWith(offlineClientAppUri));
+
+        Assert.assertEquals(OfflineTokenServlet.tokenInfo.refreshToken.getType(), RefreshTokenUtil.TOKEN_TYPE_OFFLINE);
+        Assert.assertEquals(OfflineTokenServlet.tokenInfo.refreshToken.getExpiration(), 0);
+
+        String accessTokenId = OfflineTokenServlet.tokenInfo.accessToken.getId();
+        String refreshTokenId = OfflineTokenServlet.tokenInfo.refreshToken.getId();
+
+        // Assert access token will be refreshed, but offline token will be still the same
+        Time.setOffset(9999);
+        driver.navigate().to(offlineClientAppUri);
+        Assert.assertTrue(driver.getCurrentUrl().startsWith(offlineClientAppUri));
+        Assert.assertEquals(OfflineTokenServlet.tokenInfo.refreshToken.getId(), refreshTokenId);
+        Assert.assertNotEquals(OfflineTokenServlet.tokenInfo.accessToken.getId(), accessTokenId);
+
+        // Ensure that logout works for webapp (even if offline token will be still valid in Keycloak DB)
+        driver.navigate().to(offlineClientAppUri + "/logout");
+        loginPage.assertCurrent();
+        driver.navigate().to(offlineClientAppUri);
+        loginPage.assertCurrent();
+
+        Time.setOffset(0);
+        events.clear();
+    }
+
+    @Test
+    public void testServletWithRevoke() {
+        // Login to servlet first with offline token
+        String servletUri = UriBuilder.fromUri(offlineClientAppUri)
+                .queryParam(OAuth2Constants.SCOPE, OAuth2Constants.OFFLINE_ACCESS)
+                .build().toString();
+        driver.navigate().to(servletUri);
+        loginPage.login("test-user@localhost", "password");
+        Assert.assertTrue(driver.getCurrentUrl().startsWith(offlineClientAppUri));
+
+        Assert.assertEquals(OfflineTokenServlet.tokenInfo.refreshToken.getType(), RefreshTokenUtil.TOKEN_TYPE_OFFLINE);
+
+        // Assert refresh works with increased time
+        Time.setOffset(9999);
+        driver.navigate().to(offlineClientAppUri);
+        Assert.assertTrue(driver.getCurrentUrl().startsWith(offlineClientAppUri));
+        Time.setOffset(0);
+
+        events.clear();
+
+        // Go to account service and revoke grant
+        accountAppPage.open();
+        List<String> additionalGrants = accountAppPage.getApplications().get("offline-client").getAdditionalGrants();
+        Assert.assertEquals(additionalGrants.size(), 1);
+        Assert.assertEquals(additionalGrants.get(0), "Offline Access");
+        accountAppPage.revokeGrant("offline-client");
+        Assert.assertEquals(accountAppPage.getApplications().get("offline-client").getAdditionalGrants().size(), 0);
+
+        events.expect(EventType.REVOKE_GRANT)
+                .client("account").detail(Details.REVOKED_CLIENT, "offline-client").assertEvent();
+
+        // Assert refresh doesn't work now (increase time one more time)
+        Time.setOffset(9999);
+        driver.navigate().to(offlineClientAppUri);
+        Assert.assertFalse(driver.getCurrentUrl().startsWith(offlineClientAppUri));
+        loginPage.assertCurrent();
+        Time.setOffset(0);
+    }
+
+    public static class OfflineTokenServlet extends HttpServlet {
+
+        private static TokenInfo tokenInfo;
+
+        @Override
+        protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+            if (req.getRequestURI().endsWith("logout")) {
+
+                UriBuilder redirectUriBuilder = UriBuilder.fromUri(offlineClientAppUri);
+                if (req.getParameter(OAuth2Constants.SCOPE) != null) {
+                    redirectUriBuilder.queryParam(OAuth2Constants.SCOPE, req.getParameter(OAuth2Constants.SCOPE));
+                }
+                String redirectUri = redirectUriBuilder.build().toString();
+
+                String origin = UriUtils.getOrigin(req.getRequestURL().toString());
+                String serverLogoutRedirect = UriBuilder.fromUri(origin + "/auth/realms/test/protocol/openid-connect/logout")
+                        .queryParam("redirect_uri", redirectUri)
+                        .build().toString();
+
+                resp.sendRedirect(serverLogoutRedirect);
+                return;
+            }
+
+            StringBuilder response = new StringBuilder("<html><head><title>Offline token servlet</title></head><body><pre>");
+            RefreshableKeycloakSecurityContext ctx = (RefreshableKeycloakSecurityContext) req.getAttribute(KeycloakSecurityContext.class.getName());
+            String accessTokenPretty = JsonSerialization.writeValueAsPrettyString(ctx.getToken());
+            RefreshToken refreshToken = new JWSInput(ctx.getRefreshToken()).readJsonContent(RefreshToken.class);
+            String refreshTokenPretty = JsonSerialization.writeValueAsPrettyString(refreshToken);
+
+            response = response.append(accessTokenPretty)
+                    .append(refreshTokenPretty)
+                    .append("</pre></body></html>");
+            resp.getWriter().println(response.toString());
+
+            tokenInfo = new TokenInfo(ctx.getToken(), refreshToken);
+        }
+
+    }
+
+    private static class TokenInfo {
+
+        private final AccessToken accessToken;
+        private final RefreshToken refreshToken;
+
+        public TokenInfo(AccessToken accessToken, RefreshToken refreshToken) {
+            this.accessToken = accessToken;
+            this.refreshToken = refreshToken;
+        }
+    }
+}

testsuite/integration/src/test/java/org/keycloak/testsuite/pages/AccountApplicationsPage.java

@@ -77,6 +77,15 @@ public class AccountApplicationsPage extends AbstractAccountPage {
                             currentEntry.addMapper(protMapper);
                         }
                         break;
+                    case 5:
+                        String additionalGrant = col.getText();
+                        if (additionalGrant.isEmpty()) break;
+                        String[] grants = additionalGrant.split(",");
+                        for (String grant : grants) {
+                            grant = grant.trim();
+                            currentEntry.addAdditionalGrant(grant);
+                        }
+                        break;
                 }
             }
         }
@@ -89,6 +98,7 @@ public class AccountApplicationsPage extends AbstractAccountPage {
         private final List<String> rolesAvailable = new ArrayList<String>();
         private final List<String> rolesGranted = new ArrayList<String>();
         private final List<String> protocolMappersGranted = new ArrayList<String>();
+        private final List<String> additionalGrants = new ArrayList<>();
 
         private void addAvailableRole(String role) {
             rolesAvailable.add(role);
@@ -102,6 +112,10 @@ public class AccountApplicationsPage extends AbstractAccountPage {
             protocolMappersGranted.add(protocolMapper);
         }
 
+        private void addAdditionalGrant(String grant) {
+            additionalGrants.add(grant);
+        }
+
         public List<String> getRolesGranted() {
             return rolesGranted;
         }
@@ -113,5 +127,9 @@ public class AccountApplicationsPage extends AbstractAccountPage {
         public List<String> getProtocolMappersGranted() {
             return protocolMappersGranted;
         }
+
+        public List<String> getAdditionalGrants() {
+            return additionalGrants;
+        }
     }
 }

testsuite/integration/src/test/java/org/keycloak/testsuite/pages/LoginUpdateProfileEditUsernameAllowedPage.java

@@ -0,0 +1,51 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2012, Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.keycloak.testsuite.pages;
+
+import org.openqa.selenium.WebElement;
+import org.openqa.selenium.support.FindBy;
+
+public class LoginUpdateProfileEditUsernameAllowedPage extends LoginUpdateProfilePage {
+
+    @FindBy(id = "username")
+    private WebElement usernameInput;
+
+    public void update(String firstName, String lastName, String email, String username) {
+        usernameInput.clear();
+        usernameInput.sendKeys(username);
+        update(firstName, lastName, email);
+    }
+
+    public String getUsername() {
+        return usernameInput.getAttribute("value");
+    }
+
+    public boolean isCurrent() {
+        return driver.getTitle().equals("Update Account Information");
+    }
+
+    @Override
+    public void open() {
+        throw new UnsupportedOperationException();
+    }
+
+}

testsuite/integration/src/test/java/org/keycloak/testsuite/rule/LDAPRule.java

@@ -57,4 +57,8 @@ public class LDAPRule extends ExternalResource {
     public Map<String, String> getConfig() {
         return ldapTestConfiguration.getLDAPConfig();
     }
+
+    public int getSleepTime() {
+        return ldapTestConfiguration.getSleepTime();
+    }
 }

testsuite/integration/src/test/resources/model/testrealm.json

@@ -164,6 +164,7 @@
             "name": "Other Application",
             "enabled": true,
             "serviceAccountsEnabled": true,
+            "offlineTokensEnabled": true,
             "clientAuthenticatorType": "client-jwt",
             "protocolMappers" : [
                 {

testsuite/integration/src/test/resources/oidc/offline-client-keycloak.json

@@ -0,0 +1,10 @@
+{
+  "realm": "test",
+  "resource": "offline-client",
+  "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
+  "auth-server-url": "http://localhost:8081/auth",
+  "ssl-required" : "external",
+  "credentials": {
+    "secret": "secret1"
+  }
+}

testsuite/integration/src/test/resources/testrealm.json

@@ -5,6 +5,7 @@
     "sslRequired": "external",
     "registrationAllowed": true,
     "resetPasswordAllowed": true,
+    "editUsernameAllowed" : true,
     "privateKey": "MIICXAIBAAKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQABAoGAfmO8gVhyBxdqlxmIuglbz8bcjQbhXJLR2EoS8ngTXmN1bo2L90M0mUKSdc7qF10LgETBzqL8jYlQIbt+e6TH8fcEpKCjUlyq0Mf/vVbfZSNaVycY13nTzo27iPyWQHK5NLuJzn1xvxxrUeXI6A2WFpGEBLbHjwpx5WQG9A+2scECQQDvdn9NE75HPTVPxBqsEd2z10TKkl9CZxu10Qby3iQQmWLEJ9LNmy3acvKrE3gMiYNWb6xHPKiIqOR1as7L24aTAkEAtyvQOlCvr5kAjVqrEKXalj0Tzewjweuxc0pskvArTI2Oo070h65GpoIKLc9jf+UA69cRtquwP93aZKtW06U8dQJAF2Y44ks/mK5+eyDqik3koCI08qaC8HYq2wVl7G2QkJ6sbAaILtcvD92ToOvyGyeE0flvmDZxMYlvaZnaQ0lcSQJBAKZU6umJi3/xeEbkJqMfeLclD27XGEFoPeNrmdx0q10Azp4NfJAY+Z8KRyQCR2BEG+oNitBOZ+YXF9KCpH3cdmECQHEigJhYg+ykOvr1aiZUMFT72HU0jnmQe2FVekuG+LJUt2Tm7GtMjTFoGpf0JwrVuZN39fOYAlo+nTixgeW7X8Y=",
     "publicKey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
     "requiredCredentials": [ "password" ],
@@ -32,7 +33,23 @@
             }
         },
         {
-            "username" : "keycloak-user@localhost",
+            "username" : "john-doh@localhost",
+            "enabled": true,
+            "email" : "john-doh@localhost",
+            "firstName": "John",
+            "lastName": "Doh",
+            "credentials" : [
+                { "type" : "password",
+                    "value" : "password" }
+            ],
+            "realmRoles": ["user"],
+            "clientRoles": {
+                "test-app": [ "customer-user" ],
+                "account": [ "view-profile", "manage-account" ]
+            }
+        },
+        {
+                "username" : "keycloak-user@localhost",
             "enabled": true,
             "email" : "keycloak-user@localhost",
             "credentials" : [