Re: [keycloak-dev] Disabling SAML client
It seems that it works for OIDC clients. Just added a comment to
https://issues.jboss.org/browse/KEYCLOAK-2204
But note, this email is about SAML client. Not sure if SAML has
something like "refresh token" ?
I guess not, so once SAML client successfully login into application,
the authenticated session on application side is valid until HTTP
Session expired.
Marek
On 07/12/15 16:29, Bill Burke wrote:
On 12/7/2015 7:56 AM, Michal Hajas wrote:
> Hi,
>
> I am wondering what should happen in second scenario below.
>
> I have working SAML client and try to disable client in admin console in next two
scenarios:
>
> First:
> 1. Disable client in admin console
> 2. Try to access client URL -> I am getting "Login requester not
enabled". I think this behavior is correct.
>
> Second:
> 1. Login to client
> 2. Disable client in admin console
> 3. Nothing happens, secured resource is still available, even after some time.
>
> Is it correct? Shouldn't keycloak forbid to refresh token or somehow restrict
accessing secured resource?
>
Good catch. Looks like when refresh token and/or the client-auth flow
was added, the check for disabled client was lost. Both in the logic
and in the testsuite.
https://issues.jboss.org/browse/KEYCLOAK-2204
FYI though, Keycloak does not broadcast disabled client events. We let
token timeouts and token refresh handle that.