<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 24/02/16 12:45, Satyajit Das wrote:<br>
</div>
<blockquote
cite="mid:CA+oCsRr=hY6KDJntNxOy0W8mFPMQGJdHVcCGsDVeyv8taxnaJQ@mail.gmail.com"
type="cite">
<div dir="ltr">Hi Marek,
<div><br>
</div>
<div>We cant have access token so short lived because users can
login and do operations and can stay logged in for some time.</div>
</div>
</blockquote>
In that case, you can do refreshing tokens after some period.
Basically before you send request to REST service, you will check if
your accessToken is still valid (you can parse it and see expiration
period). If it is outdated, you will send request to Keycloak to
refresh the access token. That's how our adapters work. If you use
adapter, you can be logged to application for a long time even if
accessToken lifespan is just 1 minute.<br>
<br>
If you really can't rely on short access token, there is possibility
that your REST service will always send request to Keycloak to
doublecheck if access token is still valid. We have support for
Token introspection ( <a class="moz-txt-link-freetext" href="https://tools.ietf.org/html/rfc7662">https://tools.ietf.org/html/rfc7662</a> ). The
endpoint should be under
<a class="moz-txt-link-freetext" href="http://localhost:8080/auth/realms/YourREALMName/protocol/openid-connect/token/introspect">http://localhost:8080/auth/realms/YourREALMName/protocol/openid-connect/token/introspect</a>
. Note that this has performance impact as REST service will always
need to contact Keycloak to doublecheck token.<br>
<br>
Marek<br>
<blockquote
cite="mid:CA+oCsRr=hY6KDJntNxOy0W8mFPMQGJdHVcCGsDVeyv8taxnaJQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div><br>
</div>
<div>What we are relying is that once the logout url is called
using refresh token id. The user when tries to access a
webservice using the token should not be allowed to as the
logout service has been called. </div>
<div><br>
</div>
<div>But the user can get the data, using the old token. Any
suggesstion how to stop this behaiviour.</div>
<div><br>
</div>
<div>Regards,</div>
<div>Satya.</div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Feb 24, 2016 at 4:39 PM, Marek
Posolda <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 24/02/16 10:58, Satyajit Das wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Team we are facing the below issue
with logout.
<div><br>
</div>
<div>i use login/logout restful service:</div>
<div><br>
</div>
<div>after login</div>
<div>i get tokenid say "t1" and refreshtokenid say
"rt1"<br>
<div><br>
</div>
<div>1) We have registered a webservice as a
keycloak client (example demo123) with access
type as bearer.</div>
<div>2) When I call the logout rest service:</div>
<div><br>
</div>
<div>if (isPublic()) { // if client is public
access type formparams.add(new
BasicNameValuePair(OAuth2Constants.CLIENT_ID,
"demo123")); } <br>
</div>
<div><br>
</div>
<div>URI logoutUri =
KeycloakUriBuilder.fromUri(getBaseUrl(request) +
"/auth")
.path(ServiceUrlConstants.TOKEN_SERVICE_LOGOUT_PATH)
.build("RealmName");<br>
</div>
<div><br>
</div>
<div>the logout gives 204 for client's access type
as open.</div>
<div><br>
</div>
<div>but when i again hit the service with the
token id "t1" after logout.</div>
</div>
<div>Still i can get the response. <b>Note this
response doesnt hit keycloak</b>.</div>
</div>
</blockquote>
</span> Yes, it works this way and that's why we suggest
to use short lifetimes for accessToken (1 minute). This
means that access token needs to be refreshed every 1
minute and the request for refreshing token actually needs
to hit Keycloak server (in your case, refresh won't
success because you already did logout).<br>
<br>
Marek<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Regards,</div>
<div>Satya</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>