Hi Yasir,

If I understand your query correctly:

Keycloak's JWT tokens have an expiry (i.e. lifetime, often a few minutes). Even if you log out that session in Keycloak, it might be a few minutes until the token already issued to the user expires.

There are mechanisms to explicitly revoke/blacklist tokens before the expiry has been reached, but they are not currently supported by Apiman.

Regards,

Marc

On Wed, 21 Nov 2018 at 13:34, Yasir Zeeshan <yasir.z@3gca.org> wrote:

Hi,

I implemented apiman with keycloak, it is working fine with keycloak OAuth policy and authorization policy plugin but if i logout a user session from keycloak but it still works on apiman, where it doesn't have to give access and show 401.

Regards,

Yasir

_______________________________________________
Apiman-user mailing list
Apiman-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/apiman-user