[keycloak-dev] Disabling SAML client
Bill Burke
bburke at redhat.com
Mon Dec 7 10:29:00 EST 2015
On 12/7/2015 7:56 AM, Michal Hajas wrote:
> Hi,
>
> I am wondering what should happen in second scenario below.
>
> I have working SAML client and try to disable client in admin console in next two scenarios:
>
> First:
> 1. Disable client in admin console
> 2. Try to access client URL -> I am getting "Login requester not enabled". I think this behavior is correct.
>
> Second:
> 1. Login to client
> 2. Disable client in admin console
> 3. Nothing happens, secured resource is still available, even after some time.
>
> Is it correct? Shouldn't keycloak forbid to refresh token or somehow restrict accessing secured resource?
>
Good catch. Looks like when refresh token and/or the client-auth flow
was added, the check for disabled client was lost. Both in the logic
and in the testsuite.
https://issues.jboss.org/browse/KEYCLOAK-2204
FYI though, Keycloak does not broadcast disabled client events. We let
token timeouts and token refresh handle that.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list