[keycloak-user] Offline tokens - how to revoke a single token?

Rivat Olivier orivat at janua.fr
Wed Sep 11 09:02:19 EDT 2019 

Hi,

The command to revoke tokens is


        Revoke consent and offline tokens for particular client from user

DELETE /{realm}/users/{id}/consents/{client}


The main point to bear in mind is the control of offlineSessions.
This can be achieved with offline access token.
Normally, you shall be able to used it once to acquire a further a 
offline Session.

Also, most important is that the offlineSession gets revoked from the 
user (For example in case his mobile phone is stolen)
(there is a screenshot how to doing it in my blog mentioned previously).

At this stage, any further discussion is really application context 
specific, and would require a much in depth analysis of your project.

Regards,

Olivier Rivat


Le 11/09/2019 à 12:40, Przemek Bielicki a écrit :
> > In the realm setting, you can limit the number of refresh/offline 
> tokens (by default one, when the this flag is activated)
> image.png
> I think you're referring to this setting?
>
> In fact it's not limiting number of offline tokens but number of times 
> it can be used (refreshed) to obtain access token.
>
> With this setting enabled I'm still able to generate gazillion of 
> offline tokens, but then our app should be able to limit this gracefully:
> image.png
>
> We just need to make sure we don't create more than one offline token 
> on Keycloak side, then. It's a pity there is no way Keycloak can limit 
> this.
>
> Cheers,
> Przemek
>
>
> On Wed, Sep 11, 2019 at 11:24 AM Rivat Olivier <orivat at janua.fr 
> <mailto:orivat at janua.fr>> wrote:
>
>
>     Best practise is to have offline token per user per app.
>     In the realm setting, you can limit the number of refresh/offline
>     tokens (by default one, when the this flag is activated)
>
>     It is also up to the user to manage/store the current token in
>     user for a specific app.
>
>     Like this, you only have an handful of refresh/offline tokens to
>     deal with (also one per device).
>
>     Regards,
>
>     Olivier
>
>
>
>     Le 11/09/2019 à 11:18, Przemek Bielicki a écrit :
>>     That would make sense for me if we could only have one offline
>>     token per user per client.
>>     If Keycloak allows to have multiple, why can't we revoke one by
>>     one? I assume it's just a missing feature.
>>
>>     Przemek
>>
>>     On Wed, Sep 11, 2019 at 11:05 AM Rivat Olivier <orivat at janua.fr
>>     <mailto:orivat at janua.fr>> wrote:
>>
>>         Well, OfflineTokens are jwt tokens. So they always exist in
>>         the context of a user and application.
>>         Hence a token is always tied to this tuple (user/client) context.
>>
>>         Revoking single token implies to delete on a per user basis.
>>
>>         Regards,
>>
>>         Olivier
>>
>>
>>         Le 11/09/2019 à 11:00, Przemek Bielicki a écrit :
>>>         Hi,
>>>
>>>         afaik it's only possible to revoke all for given user /
>>>         client: DELETE
>>>         http://localhost:5081/keycloak/admin/realms/{realm}/users/{userId}/consents/{client}
>>>         <http://localhost:5081/keycloak/admin/realms/%7Brealm%7D/users/%7BuserId%7D/consents/%7Bclient%7D>
>>>
>>>         I could not find REST API do revoke single tokens. Does it
>>>         exist?
>>>
>>>         Cheers,
>>>         Przemek
>>>
>>>         On Wed, Sep 11, 2019 at 10:29 AM Rivat Olivier
>>>         <orivat at janua.fr <mailto:orivat at janua.fr>> wrote:
>>>
>>>             Hi,
>>>
>>>             Have a look at following blog. With the admin UI or Self
>>>             self-service
>>>             you easily revoke offLine Sessions.
>>>             http://www.janua.fr/offline-sessions-and-offline-tokens-within-keycloak/
>>>
>>>             You should also be able to do it with REST API, but I
>>>             haven't had time
>>>             to describe it.
>>>
>>>             Regards,
>>>             Olivier Rivat
>>>
>>>
>>>             Le 11/09/2019 à 10:19, Przemek Bielicki a écrit :
>>>             > Hi,
>>>             >
>>>             > is it possible to revoke single offline token? How?
>>>             > If not, do you consider adding such feature?
>>>             > If not, why? Is there any specific reason why it's not
>>>             possible to revoke
>>>             > offline tokens one by one?
>>>             >
>>>             > Thanks,
>>>             > Przemek Bielicki
>>>             > _______________________________________________
>>>             > keycloak-user mailing list
>>>             > keycloak-user at lists.jboss.org
>>>             <mailto:keycloak-user at lists.jboss.org>
>>>             > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>             _______________________________________________
>>>             keycloak-user mailing list
>>>             keycloak-user at lists.jboss.org
>>>             <mailto:keycloak-user at lists.jboss.org>
>>>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>

More information about the keycloak-user mailing list