[keycloak-user] Offline tokens - how to revoke a single token?
Rivat Olivier
orivat at janua.fr
Wed Sep 11 05:24:37 EDT 2019
Best practise is to have offline token per user per app.
In the realm setting, you can limit the number of refresh/offline tokens
(by default one, when the this flag is activated)
It is also up to the user to manage/store the current token in user for
a specific app.
Like this, you only have an handful of refresh/offline tokens to deal
with (also one per device).
Regards,
Olivier
Le 11/09/2019 à 11:18, Przemek Bielicki a écrit :
> That would make sense for me if we could only have one offline token
> per user per client.
> If Keycloak allows to have multiple, why can't we revoke one by one? I
> assume it's just a missing feature.
>
> Przemek
>
> On Wed, Sep 11, 2019 at 11:05 AM Rivat Olivier <orivat at janua.fr
> <mailto:orivat at janua.fr>> wrote:
>
> Well, OfflineTokens are jwt tokens. So they always exist in the
> context of a user and application.
> Hence a token is always tied to this tuple (user/client) context.
>
> Revoking single token implies to delete on a per user basis.
>
> Regards,
>
> Olivier
>
>
> Le 11/09/2019 à 11:00, Przemek Bielicki a écrit :
>> Hi,
>>
>> afaik it's only possible to revoke all for given user / client:
>> DELETE
>> http://localhost:5081/keycloak/admin/realms/{realm}/users/{userId}/consents/{client}
>> <http://localhost:5081/keycloak/admin/realms/%7Brealm%7D/users/%7BuserId%7D/consents/%7Bclient%7D>
>>
>> I could not find REST API do revoke single tokens. Does it exist?
>>
>> Cheers,
>> Przemek
>>
>> On Wed, Sep 11, 2019 at 10:29 AM Rivat Olivier <orivat at janua.fr
>> <mailto:orivat at janua.fr>> wrote:
>>
>> Hi,
>>
>> Have a look at following blog. With the admin UI or Self
>> self-service
>> you easily revoke offLine Sessions.
>> http://www.janua.fr/offline-sessions-and-offline-tokens-within-keycloak/
>>
>> You should also be able to do it with REST API, but I haven't
>> had time
>> to describe it.
>>
>> Regards,
>> Olivier Rivat
>>
>>
>> Le 11/09/2019 à 10:19, Przemek Bielicki a écrit :
>> > Hi,
>> >
>> > is it possible to revoke single offline token? How?
>> > If not, do you consider adding such feature?
>> > If not, why? Is there any specific reason why it's not
>> possible to revoke
>> > offline tokens one by one?
>> >
>> > Thanks,
>> > Przemek Bielicki
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
More information about the keycloak-user
mailing list