Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Polishing token exchange with offline tokens #37708

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mposolda merged 1 commit into from
Feb 28, 2025
Merged

Polishing token exchange with offline tokens #37708

mposolda merged 1 commit into from
Feb 28, 2025
+150 −48

Conversation

@mposolda
Copy link
Contributor

@mposolda mposolda commented Feb 27, 2025

closes #37116

  • Using option (2) of what discussed in the comments in Polish token-exchange when refresh-token requested with the offline access #37116 . So token-exchange allowed when triggered without scope=offline_access and when initial subject_token was linked to offline session. In this case, new "online" user session is created

  • Also added cleanup of "tombstone" sessions in this PR. For example if token-exchange request fails due the fact that scope=offline_access was used or due the consents, it was possible that clientSession or userSession, which was possibly created in this request, was still kept. In this PR, I've did cleanup of such sessions

@mposolda mposolda self-assigned this Feb 27, 2025
@mposolda mposolda requested review from a team as code owners February 27, 2025 16:47
graziang
graziang approved these changes Feb 28, 2025
View reviewed changes
Copy link
Contributor

@graziang graziang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mposolda Thanks, LGTM. Changes in this PR should be considered in the revocation process. It doesn't seem possible to revoke session created through token exchange when revoking the original access token but maybe a solution can be found.

@mposolda
Copy link
Contributor Author

mposolda commented Feb 28, 2025

@graziang Thanks! Added some ideas to #37120 , however not sure if we can support them without sacrificing performance. Especially in the case when new userSession is created by the token-exchange, it can have performance impact... Not sure whether to not support this and rather document that "revocation chain" won't be supported in case that new user-session needed to be created ?

@mposolda mposolda merged commit cc4a413 into keycloak:main Feb 28, 2025
78 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@graziang graziang graziang approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@mposolda mposolda

Labels

team/cloud-native team/core-clients team/core-iam

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Polish token-exchange when refresh-token requested with the offline access

2 participants

@mposolda @graziang