[keycloak-dev] Revocation of access_token

Bill Burke bburke at redhat.com
Mon Jun 16 08:44:35 EDT 2014


FYI, even if we could do this, it wouldn't look like it from a user 
perspective if there was an SSO session active and if they visited the 
revoked application again.  In that case they'd just get a new refresh 
token.

On 6/16/2014 6:34 AM, Corinne Krych wrote:
> We’ll keep an eye on that.
> Thanks,
> Corinne
> PS: we track it with https://issues.jboss.org/browse/AGIOS-206
>
> On 16 Jun 2014, at 12:27, Stian Thorgersen <stian at redhat.com> wrote:
>
>> We'll probably also add something more like what Google and Facebook have in the future, by having the option to list what grants have been given to clients in account management, and the ability to revoke access to a specific client.
>>
>> ----- Original Message -----
>>> From: "Corinne Krych" <corinnekrych at gmail.com>
>>> To: "Stian Thorgersen" <stian at redhat.com>
>>> Cc: "Christos Vasilakis" <cvasilak at gmail.com>, keycloak-dev at lists.jboss.org
>>> Sent: Monday, 16 June, 2014 10:51:31 AM
>>> Subject: Re: [keycloak-dev] Revocation of access_token
>>>
>>> Thanks Stian for you reply
>>>
>>> Interesting it looks different from what we’ve seen so far with Google and
>>> Facebook, closer to http://tools.ietf.org/html/rfc7009 draft specification
>>> on revoke toke where you put the token you want to revoke and it will revoke
>>> all refreh and access tokens.
>>>
>>> ++
>>> Corinne
>>> On 16 Jun 2014, at 11:22, Stian Thorgersen <stian at redhat.com> wrote:
>>>
>>>> You can't revoke individual tokens or refresh tokens, but all tokens (and
>>>> cookies) are linked to a user session which can be revoked.
>>>>
>>>> To logout the current session (uses cookie):
>>>> https://server/realms/application/tokens/logout
>>>>
>>>> To logout a specific session (you can get the session state from token:
>>>> https://server/realms/application/tokens/logout?session_state=<SESSION>
>>>>
>>>> You can also logout sessions from the account management, or through the
>>>> admin console.
>>>>
>>>> ----- Original Message -----
>>>>> From: "Christos Vasilakis" <cvasilak at gmail.com>
>>>>> To: keycloak-dev at lists.jboss.org
>>>>> Sent: Monday, 16 June, 2014 10:04:30 AM
>>>>> Subject: [keycloak-dev] Revocation of access_token
>>>>>
>>>>> Hi all,
>>>>>
>>>>> is there any way a user that holds an ‘access_token’  to manually revoke
>>>>> it
>>>>> by posting to a particular URL?
>>>>>
>>>>> 'curl "https://server/realms/application/tokens/revoke?token=<token>'
>>>>>
>>>>> Sorry if i am missing sth would be glad if you point me to the right
>>>>> direction.
>>>>>
>>>>> Regards,
>>>>> Christos
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list