[keycloak-user] Offline tokens - how to revoke a single token?

Przemek Bielicki przemek at gradle.com
Wed Sep 11 06:40:38 EDT 2019 

> In the realm setting, you can limit the number of refresh/offline tokens
(by default one, when the this flag is activated)
[image: image.png]
I think you're referring to this setting?

In fact it's not limiting number of offline tokens but number of times it
can be used (refreshed) to obtain access token.

With this setting enabled I'm still able to generate gazillion of offline
tokens, but then our app should be able to limit this gracefully:
[image: image.png]

We just need to make sure we don't create more than one offline token on
Keycloak side, then. It's a pity there is no way Keycloak can limit this.

Cheers,
Przemek


On Wed, Sep 11, 2019 at 11:24 AM Rivat Olivier <orivat at janua.fr> wrote:

>
> Best practise is to have offline token per user per app.
> In the realm setting, you can limit the number of refresh/offline tokens
> (by default one, when the this flag is activated)
>
> It is also up to the user to manage/store the current token in user for a
> specific app.
>
> Like this, you only have an handful of refresh/offline tokens to deal with
> (also one per device).
>
> Regards,
>
> Olivier
>
>
>
> Le 11/09/2019 à 11:18, Przemek Bielicki a écrit :
>
> That would make sense for me if we could only have one offline token per
> user per client.
> If Keycloak allows to have multiple, why can't we revoke one by one? I
> assume it's just a missing feature.
>
> Przemek
>
> On Wed, Sep 11, 2019 at 11:05 AM Rivat Olivier <orivat at janua.fr> wrote:
>
>> Well, OfflineTokens are jwt tokens. So they always exist in the context
>> of a user and application.
>> Hence a token is always tied to this tuple (user/client) context.
>>
>> Revoking single token implies to delete on a per user basis.
>>
>> Regards,
>>
>> Olivier
>>
>>
>> Le 11/09/2019 à 11:00, Przemek Bielicki a écrit :
>>
>> Hi,
>>
>> afaik it's only possible to revoke all for given user / client: DELETE
>> http://localhost:5081/keycloak/admin/realms/{realm}/users/{userId}/consents/{client}
>>
>> I could not find REST API do revoke single tokens. Does it exist?
>>
>> Cheers,
>> Przemek
>>
>> On Wed, Sep 11, 2019 at 10:29 AM Rivat Olivier <orivat at janua.fr> wrote:
>>
>>> Hi,
>>>
>>> Have a look at following blog. With the admin UI or Self self-service
>>> you easily revoke offLine Sessions.
>>> http://www.janua.fr/offline-sessions-and-offline-tokens-within-keycloak/
>>>
>>> You should also be able to do it with REST API, but I haven't had time
>>> to describe it.
>>>
>>> Regards,
>>> Olivier Rivat
>>>
>>>
>>> Le 11/09/2019 à 10:19, Przemek Bielicki a écrit :
>>> > Hi,
>>> >
>>> > is it possible to revoke single offline token? How?
>>> > If not, do you consider adding such feature?
>>> > If not, why? Is there any specific reason why it's not possible to
>>> revoke
>>> > offline tokens one by one?
>>> >
>>> > Thanks,
>>> > Przemek Bielicki
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 7281 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190911/08173f45/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 108146 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190911/08173f45/attachment-0003.png

More information about the keycloak-user mailing list