<div dir="ltr">Hi Yasir,<div><br></div><div>If I understand your query correctly:</div><div><br></div><div>Keycloak's JWT tokens have an expiry (i.e. lifetime, often a few minutes). Even if you log out that session in Keycloak, it might be a few minutes until the token already issued to the user expires. </div><div><br></div><div>There are mechanisms to explicitly revoke/blacklist tokens before the expiry has been reached, but they are not currently supported by Apiman. </div><div><br></div><div>Regards,</div><div>Marc</div></div><br><div class="gmail_quote"><div dir="ltr">On Wed, 21 Nov 2018 at 13:34, Yasir Zeeshan <<a href="mailto:yasir.z@3gca.org">yasir.z@3gca.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hi,</p>
<p>I implemented apiman with keycloak, it is working fine with <a href="http://192.168.100.211:8081/apimanui/api-manager/admin/plugins/1008" class="m_-5554223020200190518ng-binding" style="box-sizing:border-box;background-color:transparent;color:rgb(0,153,211);text-decoration:none;font-family:"Open Sans",Helvetica,Arial,sans-serif;font-size:13px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank"></a><b>keycloak OAuth policy</b>
and <b>authorization policy </b>plugin but if i logout a user
session from keycloak but it still works on apiman, where it
doesn't have to give access and show 401.</p>
<p><br>
</p>
<p>Regards,</p>
<p>Yasir<br>
</p>
</div>
_______________________________________________<br>
Apiman-user mailing list<br>
<a href="mailto:Apiman-user@lists.jboss.org" target="_blank">Apiman-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/apiman-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/apiman-user</a><br>
</blockquote></div>