keycloak-scim/topics/sessions/offline.adoc
2016-05-27 16:37:49 -04:00

30 lines
2.5 KiB
Text

[[_offline-access]]
=== Offline Access
The Offline access is the feature described in http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess[OpenID Connect specification] .
The idea is that during login, your client application will request Offline token instead of classic Refresh token.
The application can save this offline token in a database or on disk and can use it later even if user is logged out.
This is useful if your application needs to do some "offline" actions on behalf of user even if user is not online
like periodic backup of some data every night etc.
Your application is responsible to persist the offline token in some storage (usually database) and then use it to manually retrieve new access token from {{book.project.name}} server.
The difference between classic Refresh token and Offline token is, that offline token will never expire and is not subject of `SSO Session Idle timeout` .
The offline token is valid even after a user logout or server restart.
However you do need to use the offline token for refresh token action at least once per each 30 days ( The value can be changed in admin console.
It is `Offline Session Idle timeout` ). Also if you enable option `Revoke refresh tokens`, then each offline token can be used just once.
So after refresh, you always need to store new offline token from refresh response into your DB instead of the previous one.
Users can view and revoke offline tokens that have been granted by them in the <<fake/../../account.adoc#_account-service, User Account Service>>.
The admin user can revoke offline tokens for individual users in admin console in the `Consent` tab of a particular user.
The admin can also view all the offline tokens issued in the `Offline Access` tab of each client.
Offline tokens can also be revoked by setting a <<fake/../../sessions/revocation.adoc#_revocation-policy, revocation policy>>.
To be able to issue an offline token, users need to have the role mapping for the realm-level role `offline_access`.
Clients also need to have that role in their scope.
The client can request offline token by adding the parameter `scope=offline_access` when sending authorization request to {{book.project.name}}.
The {{book.project.name}} OIDC client adapter automatically adds this parameter when you use it to access secured URL of your application (ie.
http://localhost:8080/customer-portal/secured?scope=offline_access ). The Direct Access Grant and Service Accounts also
support offline tokens if you include `scope=offline_access` in the body of the authentication request.