[keycloak-user] Offline tokens - how to revoke a single token?

Wed Sep 11 05:24:37 EDT 2019

Best practise is to have offline token per user per app.
In the realm setting, you can limit the number of refresh/offline tokens 
(by default one, when the this flag is activated)

It is also up to the user to manage/store the current token in user for 
a specific app.

Like this, you only have an handful of refresh/offline tokens to deal 
with (also one per device).

Regards,

Olivier

Le 11/09/2019 à 11:18, Przemek Bielicki a écrit :
> That would make sense for me if we could only have one offline token 
> per user per client.
> If Keycloak allows to have multiple, why can't we revoke one by one? I 
> assume it's just a missing feature.
>
> Przemek
>
> On Wed, Sep 11, 2019 at 11:05 AM Rivat Olivier <orivat at janua.fr 
> <mailto:orivat at janua.fr>> wrote:
>
>     Well, OfflineTokens are jwt tokens. So they always exist in the
>     context of a user and application.
>     Hence a token is always tied to this tuple (user/client) context.
>
>     Revoking single token implies to delete on a per user basis.
>
>     Regards,
>
>     Olivier
>
>
>     Le 11/09/2019 à 11:00, Przemek Bielicki a écrit :
>>     Hi,
>>
>>     afaik it's only possible to revoke all for given user / client:
>>     DELETE
>>     http://localhost:5081/keycloak/admin/realms/{realm}/users/{userId}/consents/{client}
>>     <http://localhost:5081/keycloak/admin/realms/%7Brealm%7D/users/%7BuserId%7D/consents/%7Bclient%7D>
>>
>>     I could not find REST API do revoke single tokens. Does it exist?
>>
>>     Cheers,
>>     Przemek
>>
>>     On Wed, Sep 11, 2019 at 10:29 AM Rivat Olivier <orivat at janua.fr
>>     <mailto:orivat at janua.fr>> wrote:
>>
>>         Hi,
>>
>>         Have a look at following blog. With the admin UI or Self
>>         self-service
>>         you easily revoke offLine Sessions.
>>         http://www.janua.fr/offline-sessions-and-offline-tokens-within-keycloak/
>>
>>         You should also be able to do it with REST API, but I haven't
>>         had time
>>         to describe it.
>>
>>         Regards,
>>         Olivier Rivat
>>
>>
>>         Le 11/09/2019 à 10:19, Przemek Bielicki a écrit :
>>         > Hi,
>>         >
>>         > is it possible to revoke single offline token? How?
>>         > If not, do you consider adding such feature?
>>         > If not, why? Is there any specific reason why it's not
>>         possible to revoke
>>         > offline tokens one by one?
>>         >
>>         > Thanks,
>>         > Przemek Bielicki
>>         > _______________________________________________
>>         > keycloak-user mailing list
>>         > keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>         _______________________________________________
>>         keycloak-user mailing list
>>         keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>