<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">What logout url do I have to call? After call I the <i class="">/auth/realms/{realm}/protocol/openid-connect/logout?redirect_uri= </i>endpoint still the session is valid. (But removed in the admin console) <div class=""><br class=""></div><div class=""><div><blockquote type="cite" class=""><div class="">On 28 Jun 2016, at 15:49, Stian Thorgersen <<a href="mailto:sthorger@redhat.com" class="">sthorger@redhat.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Direct grant (tokens obtained directly from /auth/realms/{realm}/protocol/openid-connect/token) results in a new user session being created. This session is not tied to the browser session in any way. To do that you should use the proper redirect based login. <div class=""><br class=""></div><div class="">The token introspection endpoint returns that the token is still valid after you've logged from the admin console because you have two separate user sessions. To invalidate the token obtain directly from 'token' endpoint you'd have to call logout on that separately.</div></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On 24 June 2016 at 10:08, Jannik Hüls <span dir="ltr" class=""><<a href="mailto:jannik.huels@googlemail.com" target="_blank" class="">jannik.huels@googlemail.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word" class="">Hi,<div class=""><br class=""></div><div class="">I use the <i class="">/auth/realms/{realm}/protocol/openid-connect/token</i> endpoint to create a User Session. The Session is shown inside keycloak and i get the access_token, refresh_token and id_token.</div><div class="">When I now call the <i class="">/auth/realms/{realm}/protocol/openid-connect/token/introspect </i>I get a valid response containing <i class="">“active”:”true” </i>amongst others. I call it using POST method and providing <i class="">cient_id</i>, <i class="">client_secret</i> and <i class="">token</i> parameter as data. The <i class="">token</i> parameter contains the <i class="">access_token</i> value. </div><div class=""><br class=""></div><div class="">I now log in to keycloak administrator and logout the User. Now I again call the introspection endpoint but still get a response containing <i class="">"active":”true”</i>. It seems that keycloak is caching the User Session and after some time I get <i class="">“active”:”false”. </i>May I be able to disable caching and to immediately get a introspection response that indicates that the User Session does not longer exist?</div><div class=""><br class=""></div><div class="">Btw.: The same happens when I call the <i class="">/auth/realms/{realm}/protocol/openid-connect/logout?redirect_uri= </i>endpoint. I provided the <i class="">access_token</i> in the header. POST parameters are <i class="">client_id</i>, <i class="">client_secret</i> and <i class="">refresh_token</i> is this case.</div><div class=""><br class=""></div><div class="">I use the introspection endpoint in the different RPs I use to validate whether the access_token is revoked in order to introduce single logout. Hence it would be nice to disable the caching to have less inconsistence. </div><div class=""><br class=""></div><div class="">Bests</div><span class="HOEnZb"><font color="#888888" class=""><div class="">Jannik</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div></font></span></div><br class="">_______________________________________________<br class="">
keycloak-user mailing list<br class="">
<a href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br class="">
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank" class="">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br class=""></blockquote></div><br class=""></div>
</div></blockquote></div><br class=""></div></body></html>