<div dir="ltr">Hi Marek,<div><br></div><div>We cant have access token so short lived because users can login and do operations and can stay logged in for some time.<div><br></div><div>What we are relying is that once the logout url is called using refresh token id. The user when tries to access a webservice using the token should not be allowed to as the logout service has been called. </div><div><br></div><div>But the user can get the data, using the old token. Any suggesstion how to stop this behaiviour.</div><div><br></div><div>Regards,</div><div>Satya.</div><div><br></div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 24, 2016 at 4:39 PM, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 24/02/16 10:58, Satyajit Das wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Team we are facing the below issue with logout.
<div><br>
</div>
<div>i use login/logout restful service:</div>
<div><br>
</div>
<div>after login</div>
<div>i get tokenid say "t1" and refreshtokenid say "rt1"<br>
<div><br>
</div>
<div>1) We have registered a webservice as a keycloak client
(example demo123) with access type as bearer.</div>
<div>2) When I call the logout rest service:</div>
<div><br>
</div>
<div>if (isPublic()) { // if client is public access type
formparams.add(new
BasicNameValuePair(OAuth2Constants.CLIENT_ID, "demo123"));
} <br>
</div>
<div><br>
</div>
<div>URI logoutUri =
KeycloakUriBuilder.fromUri(getBaseUrl(request) + "/auth")
.path(ServiceUrlConstants.TOKEN_SERVICE_LOGOUT_PATH)
.build("RealmName");<br>
</div>
<div><br>
</div>
<div>the logout gives 204 for client's access type as open.</div>
<div><br>
</div>
<div>but when i again hit the service with the token id "t1"
after logout.</div>
</div>
<div>Still i can get the response. <b>Note this response doesnt
hit keycloak</b>.</div>
</div>
</blockquote></span>
Yes, it works this way and that's why we suggest to use short
lifetimes for accessToken (1 minute). This means that access token
needs to be refreshed every 1 minute and the request for refreshing
token actually needs to hit Keycloak server (in your case, refresh
won't success because you already did logout).<br>
<br>
Marek<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Regards,</div>
<div>Satya</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
<br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>