[keycloak-dev] Support for invalidation of access/refresh tokens

Marek Posolda mposolda at redhat.com
Wed Oct 23 06:26:03 EDT 2013


Hi,

it seems that actually there is no way to invalidate access token by 
client. For example: if client recognize that his access token has been 
stolen, he may want to logout and invalidate his access token, so that 
nobody can use it anymore to authenticate REST calls via Bearer 
authentication. Actually Bearer token authentication (like 
CatalinaBearerTokenAuthenticator) just verifies the signature of access 
token, but this verification will pass for stolen access token.

It seems that for supporting this feature, we may need:
- Store all valid access tokens (either in memory or in persistent storage)
- REST endpoint for invalidate access token, which could be used by client
- REST endpoint for check if access token is valid, which could be used 
by application providing REST endpoints in addition to signature 
verification

It seems that this problem is maybe not so bad for access tokens as long 
as they have low expiration period, but what if attacker somehow steal 
refresh token? Is it planned to have invalidation support for refresh 
tokens?

Marek


More information about the keycloak-dev mailing list