feat(auth): Add "offline_access" scope for long-lived refresh tokens #1943
+15
−7
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
wkl3nk
requested review from
bs-ondem,
MarcelBochtler,
mnonnenmacher,
nnobelis,
oheger-bosch and
sschuberth
as code owners
MarcelBochtler
requested changes
Feb 3, 2025
wkl3nk
force-pushed
the
wkl3nk/add-offline-access-scope-to-cli
branch
from
43f88ff to
24231d2
Compare
wkl3nk
force-pushed
the
wkl3nk/add-offline-access-scope-to-cli
branch
2 times, most recently
from
cdf7f61 to
57f3d41
Compare
wkl3nk
force-pushed
the
wkl3nk/add-offline-access-scope-to-cli
branch
from
57f3d41 to
df81e58
Compare
MarcelBochtler
previously approved these changes
Feb 4, 2025
wkl3nk
force-pushed
the
wkl3nk/add-offline-access-scope-to-cli
branch
2 times, most recently
from
fe649b1 to
e7fe7ca
Compare
MarcelBochtler
approved these changes
Feb 4, 2025
Add the "offline_access" scope when requesting authentication and refresh tokens. This ensures that the authentication provider issues long-lived refresh tokens, allowing the CLI to obtain new access tokens without requiring the user to log in frequently. This allows for having long-lived refresh tokens for the CLI, while still having the refresh tokens for the web application expire after a shorter period of time in case there is no user activity. Signed-off-by: Wolfgang Klenk <wolfgang.klenk2@bosch.com>
wkl3nk
force-pushed
the
wkl3nk/add-offline-access-scope-to-cli
branch
from
e7fe7ca to
d1922a0
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add the
offline_accessscope when requesting authentication and refresh tokens in the CLI. This ensures that the authentication provider issues long-lived refresh tokens, allowing the CLI to obtain new access tokens without requiring the user to log in frequently.This allows for having long-lived refresh tokens for the CLI, while still having the refresh tokens for the web application expire after a shorter period of time in case there is no user activity.
Such refresh token will no langer have a
exp(expiration) claim. However, in authentication providers like Keycloak there are policies that enable to invalidate them nevertheless after a period of time of inactivity. This mechanism allows to have a regular automatic clean-up of long-lived CLI sessions, avoiding the number of long-lived sessions to grow in Keycloak without any bounds.While for web applications it is good practice to invalidate the refresh token after 15 - 30 minutes of inactivity, for CLIs it is common to have them last for several hours or even days.