How to get offline token

[stephane-dereppe]

Bug Report or Feature Request (mark with an x)

- [ ] bug report -> please search for issues before submitting
- [X] feature request

Versions.

"keycloak-angular": "^7.1.0",
"keycloak-js": "4.8.3",

Desired functionality.

How could we get offline tokens?

https://github.com/keycloak/keycloak-documentation/blob/master/server_admin/topics/sessions/offline.adoc

[Wlada]

Any information on this would be great.

[jonkoops]

If you have some example on how this would be accomplished using keycloak-js standalone, of which I cannot find much clear documentation it would be no issue to implement this in Keycloak Angular.

What exactly are you trying to accomplish using offline tokens?

[stephane-dereppe]

Hi,

I've built a PWA and wonder my self if the usage of offline token could not improve the user experience.

For now, users have to relog them self once the session have expired... which is not so "app like".

Maybe I've misunderstood what offline token are for...but I think it could match the scenario where a user should not relog him after its session has expired but only if he didn't used the token for a while (default seems to be 30 days).

I could read in the doc that to request an offline token, we should request the scope offline_access in the autorization request.. But I don't know how to achieve this with angular-keycloak.

Any feedback on my thought are welcome.

[jonkoops]

@stephane-dereppe Looks like this scope paramater will have to be passed to the login() method of keycloak-js (see the type definition).

These options are passed 1-1 from the login method of Keycloak Angular, so if you manually handle the login (not using check-sso and login-required for onLoad) it should be possible to request this token.

Could someone in this thread check this out and follow their findings? We can use this to write some documentation.

[stephane-dereppe]

Sorry. I do use the login-required option in the initOptions of the keycloak.init.

I was expecting a way to pass the requested scope via this interface but found nothing.

        await keycloak.init({
          config: appConfigService.getConfig().keycloak,
          initOptions: {
            onLoad: 'login-required',
            checkLoginIframe: false
          },
          enableBearerInterceptor: true,
          bearerExcludedUrls: [
            '/assets'
          ]
        });

Do you mean I should remove the login-required value and trigger manually keycloak.login() after the initialization?

Other remark: Could anyone tell me if my approach (using offline token for a PWA application) is a good one? Does it make sense?

Thanks for your help!

[jonkoops]

@stephane-dereppe Yes, since login-required will trigger the login flow without the scope you'll have to handle the login yourself.

[dieAte]

@stephane-dereppe - sorry, it's off topic but can you tell me if your pwa works on android? I tried with the same settings in my ionic Cordova app but I always end up in an empty white screen after login, I guess with an error that I'm not allowed to access localhost. I installed the inAppBrowser Plugin but I'm not sure if it's really used. Without specifying the adapter the Cordova adapter should be used if exists.

[stephane-dereppe]

@dieAte Yes my PWA works on android. But I don't use Cordova at all. It's a plain angular + PWA support application.

[stephane-dereppe]

If I replace my code whith the following :

        await keycloak.init({
          config: appConfigService.getConfig().keycloak,
          initOptions: {
            checkLoginIframe: false
          },
          enableBearerInterceptor: true,
          bearerExcludedUrls: [
            '/assets'
          ]
        }).then(auth => {
          if (!auth) {
                keycloak.login({
                  scope: 'openid offline_access',
                });
              }
        });

(remove onLoad: 'login-required' ) and pass the scope in the login method, I can get a offline token.

By the way, I've experienced the same problem as stated in the mail list : (when doing a logout all via the admin console) https://lists.jboss.org/pipermail/keycloak-user/2018-May/014128.html

Now, to be able to reuse the offline token, I guess I should store it in my local storage. (to avoid recreating a new token when I reload my page.
Do you know if it's a good practice to put an offline token in the local storage?

[john-melin]

Is this being looked at?

@jonkoops Any news on documentation?

[jonkoops]

Yeah, I am still working on the docs. Unfortunately I have not had much time for the project recently, but I have some holidays in a couple of weeks that I will use to improve things.

[jonkoops]

I've updated our documentation to be a bit more streamlined, however it does not yet include this specific piece of documentation. The idea is that we will write separate documentation or 'Guides' that will describe specific parts of working with Keycloak Angular such as getting an offline token. I've created #272 to implement this specific guide.

[mivanicova]

For now, users have to relog them self once the session have expired... which is not so "app like".

Maybe I've misunderstood what offline token are for...but I think it could match the scenario where a user should not relog him after its session has expired but only if he didn't used the token for a while (default seems to be 30 days).

It sounds like what you are looking for is achievable by setting in Keycloak Admin Console on Realm "Remember me" ON. Given that users gives consent during login by ticking "Remember me" checkbox, next time he comes back (even after browser is closed) he is automatically logged in, because the KEYCLOACK_IDENTITY cookie is preserved. The SSO Session Remember me time could be configured in Realm/Token settings