From: "Christos Vasilakis" <cvasilak(a)gmail.com&gt; To: keycloak-dev(a)lists.jboss.org Sent: Monday, 16 June, 2014 10:04:30 AM Subject: [keycloak-dev] Revocation of access_token Hi all, is there any way a user that holds an ‘access_token’ to manually revoke it by posting to a particular URL? 'curl "https://server/realms/application/tokens/revoke?token=<token>' Sorry if i am missing sth would be glad if you point me to the right direction. Regards, Christos _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

From: "Corinne Krych" <corinnekrych(a)gmail.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: "Christos Vasilakis" <cvasilak(a)gmail.com&gt;, keycloak-dev(a)lists.jboss.org Sent: Monday, 16 June, 2014 10:51:31 AM Subject: Re: [keycloak-dev] Revocation of access_token Thanks Stian for you reply Interesting it looks different from what we’ve seen so far with Google and Facebook, closer to http://tools.ietf.org/html/rfc7009 draft specification on revoke toke where you put the token you want to revoke and it will revoke all refreh and access tokens. ++ Corinne On 16 Jun 2014, at 11:22, Stian Thorgersen <stian(a)redhat.com&gt; wrote: > You can't revoke individual tokens or refresh tokens, but all tokens (and > cookies) are linked to a user session which can be revoked. > > To logout the current session (uses cookie): > https://server/realms/application/tokens/logout > > To logout a specific session (you can get the session state from token: > https://server/realms/application/tokens/logout?session_state=<SESSION... > > You can also logout sessions from the account management, or through the > admin console. > > ----- Original Message ----- >> From: "Christos Vasilakis" <cvasilak(a)gmail.com&gt; >> To: keycloak-dev(a)lists.jboss.org >> Sent: Monday, 16 June, 2014 10:04:30 AM >> Subject: [keycloak-dev] Revocation of access_token >> >> Hi all, >> >> is there any way a user that holds an ‘access_token’ to manually revoke >> it >> by posting to a particular URL? >> >> 'curl "https://server/realms/application/tokens/revoke?token=<token>' >> >> Sorry if i am missing sth would be glad if you point me to the right >> direction. >> >> Regards, >> Christos >> >> >> >> >> >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev

We’ll keep an eye on that. Thanks, Corinne PS: we track it with https://issues.jboss.org/browse/AGIOS-206 On 16 Jun 2014, at 12:27, Stian Thorgersen <stian(a)redhat.com&gt; wrote: > We'll probably also add something more like what Google and Facebook have in the future, by having the option to list what grants have been given to clients in account management, and the ability to revoke access to a specific client. > > ----- Original Message ----- >> From: "Corinne Krych" <corinnekrych(a)gmail.com&gt; >> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >> Cc: "Christos Vasilakis" <cvasilak(a)gmail.com&gt;, keycloak-dev(a)lists.jboss.org >> Sent: Monday, 16 June, 2014 10:51:31 AM >> Subject: Re: [keycloak-dev] Revocation of access_token >> >> Thanks Stian for you reply >> >> Interesting it looks different from what we’ve seen so far with Google and >> Facebook, closer to http://tools.ietf.org/html/rfc7009 draft specification >> on revoke toke where you put the token you want to revoke and it will revoke >> all refreh and access tokens. >> >> ++ >> Corinne >> On 16 Jun 2014, at 11:22, Stian Thorgersen <stian(a)redhat.com&gt; wrote: >> >>> You can't revoke individual tokens or refresh tokens, but all tokens (and >>> cookies) are linked to a user session which can be revoked. >>> >>> To logout the current session (uses cookie): >>> https://server/realms/application/tokens/logout >>> >>> To logout a specific session (you can get the session state from token: >>> https://server/realms/application/tokens/logout?session_state=<SESSION... >>> >>> You can also logout sessions from the account management, or through the >>> admin console. >>> >>> ----- Original Message ----- >>>> From: "Christos Vasilakis" <cvasilak(a)gmail.com&gt; >>>> To: keycloak-dev(a)lists.jboss.org >>>> Sent: Monday, 16 June, 2014 10:04:30 AM >>>> Subject: [keycloak-dev] Revocation of access_token >>>> >>>> Hi all, >>>> >>>> is there any way a user that holds an ‘access_token’ to manually revoke >>>> it >>>> by posting to a particular URL? >>>> >>>> 'curl "https://server/realms/application/tokens/revoke?token=<token>' >>>> >>>> Sorry if i am missing sth would be glad if you point me to the right >>>> direction. >>>> >>>> Regards, >>>> Christos >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> keycloak-dev mailing list >>>> keycloak-dev(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>> >>> >>> _______________________________________________ >>> keycloak-dev mailing list >>> keycloak-dev(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> >> _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

What do you mean? when an application is revoked (for now using the session revoke), and the uservisit the app again, he will need to get a new refresh and access token and for that he will be prompted again to grant access, right? ++ Corinne On 16 Jun 2014, at 14:44, Bill Burke <bburke(a)redhat.com&gt; wrote: > FYI, even if we could do this, it wouldn't look like it from a user > perspective if there was an SSO session active and if they visited the > revoked application again. In that case they'd just get a new refresh > token. > > On 6/16/2014 6:34 AM, Corinne Krych wrote: >> We’ll keep an eye on that. >> Thanks, >> Corinne >> PS: we track it with https://issues.jboss.org/browse/AGIOS-206 >> >> On 16 Jun 2014, at 12:27, Stian Thorgersen <stian(a)redhat.com&gt; wrote: >> >>> We'll probably also add something more like what Google and Facebook have in the future, by having the option to list what grants have been given to clients in account management, and the ability to revoke access to a specific client. >>> >>> ----- Original Message ----- >>>> From: "Corinne Krych" <corinnekrych(a)gmail.com&gt; >>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>> Cc: "Christos Vasilakis" <cvasilak(a)gmail.com&gt;, keycloak-dev(a)lists.jboss.org >>>> Sent: Monday, 16 June, 2014 10:51:31 AM >>>> Subject: Re: [keycloak-dev] Revocation of access_token >>>> >>>> Thanks Stian for you reply >>>> >>>> Interesting it looks different from what we’ve seen so far with Google and >>>> Facebook, closer to http://tools.ietf.org/html/rfc7009 draft specification >>>> on revoke toke where you put the token you want to revoke and it will revoke >>>> all refreh and access tokens. >>>> >>>> ++ >>>> Corinne >>>> On 16 Jun 2014, at 11:22, Stian Thorgersen <stian(a)redhat.com&gt; wrote: >>>> >>>>> You can't revoke individual tokens or refresh tokens, but all tokens (and >>>>> cookies) are linked to a user session which can be revoked. >>>>> >>>>> To logout the current session (uses cookie): >>>>> https://server/realms/application/tokens/logout >>>>> >>>>> To logout a specific session (you can get the session state from token: >>>>> https://server/realms/application/tokens/logout?session_state=<SESSION... >>>>> >>>>> You can also logout sessions from the account management, or through the >>>>> admin console. >>>>> >>>>> ----- Original Message ----- >>>>>> From: "Christos Vasilakis" <cvasilak(a)gmail.com&gt; >>>>>> To: keycloak-dev(a)lists.jboss.org >>>>>> Sent: Monday, 16 June, 2014 10:04:30 AM >>>>>> Subject: [keycloak-dev] Revocation of access_token >>>>>> >>>>>> Hi all, >>>>>> >>>>>> is there any way a user that holds an ‘access_token’ to manually revoke >>>>>> it >>>>>> by posting to a particular URL? >>>>>> >>>>>> 'curl "https://server/realms/application/tokens/revoke?token=<token>' >>>>>> >>>>>> Sorry if i am missing sth would be glad if you point me to the right >>>>>> direction. >>>>>> >>>>>> Regards, >>>>>> Christos >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-dev mailing list >>>>>> keycloak-dev(a)lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-dev mailing list >>>>> keycloak-dev(a)lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>> >>>> >> >> >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev

Oki. I should have mentioned that my use case/scenario was for OAuth2 client. in that case it is similar to other Oauth2 provider: you do need to grant access again after a revoke. On 16 Jun 2014, at 15:19, Bill Burke <bburke(a)redhat.com&gt; wrote: > Depends. Applications don't have to get grant permission. OAuth clients do. > > On 6/16/2014 8:50 AM, Corinne Krych wrote: >> What do you mean? >> when an application is revoked (for now using the session revoke), and the uservisit the app again, he will need to get a new refresh and access token and for that he will be prompted again to grant access, right? >> >> ++ >> Corinne >> On 16 Jun 2014, at 14:44, Bill Burke <bburke(a)redhat.com&gt; wrote: >> >>> FYI, even if we could do this, it wouldn't look like it from a user >>> perspective if there was an SSO session active and if they visited the >>> revoked application again. In that case they'd just get a new refresh >>> token. >>> >>> On 6/16/2014 6:34 AM, Corinne Krych wrote: >>>> We’ll keep an eye on that. >>>> Thanks, >>>> Corinne >>>> PS: we track it with https://issues.jboss.org/browse/AGIOS-206 >>>> >>>> On 16 Jun 2014, at 12:27, Stian Thorgersen <stian(a)redhat.com&gt; wrote: >>>> >>>>> We'll probably also add something more like what Google and Facebook have in the future, by having the option to list what grants have been given to clients in account management, and the ability to revoke access to a specific client. >>>>> >>>>> ----- Original Message ----- >>>>>> From: "Corinne Krych" <corinnekrych(a)gmail.com&gt; >>>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>>>> Cc: "Christos Vasilakis" <cvasilak(a)gmail.com&gt;, keycloak-dev(a)lists.jboss.org >>>>>> Sent: Monday, 16 June, 2014 10:51:31 AM >>>>>> Subject: Re: [keycloak-dev] Revocation of access_token >>>>>> >>>>>> Thanks Stian for you reply >>>>>> >>>>>> Interesting it looks different from what we’ve seen so far with Google and >>>>>> Facebook, closer to http://tools.ietf.org/html/rfc7009 draft specification >>>>>> on revoke toke where you put the token you want to revoke and it will revoke >>>>>> all refreh and access tokens. >>>>>> >>>>>> ++ >>>>>> Corinne >>>>>> On 16 Jun 2014, at 11:22, Stian Thorgersen <stian(a)redhat.com&gt; wrote: >>>>>> >>>>>>> You can't revoke individual tokens or refresh tokens, but all tokens (and >>>>>>> cookies) are linked to a user session which can be revoked. >>>>>>> >>>>>>> To logout the current session (uses cookie): >>>>>>> https://server/realms/application/tokens/logout >>>>>>> >>>>>>> To logout a specific session (you can get the session state from token: >>>>>>> https://server/realms/application/tokens/logout?session_state=<SESSION... >>>>>>> >>>>>>> You can also logout sessions from the account management, or through the >>>>>>> admin console. >>>>>>> >>>>>>> ----- Original Message ----- >>>>>>>> From: "Christos Vasilakis" <cvasilak(a)gmail.com&gt; >>>>>>>> To: keycloak-dev(a)lists.jboss.org >>>>>>>> Sent: Monday, 16 June, 2014 10:04:30 AM >>>>>>>> Subject: [keycloak-dev] Revocation of access_token >>>>>>>> >>>>>>>> Hi all, >>>>>>>> >>>>>>>> is there any way a user that holds an ‘access_token’ to manually revoke >>>>>>>> it >>>>>>>> by posting to a particular URL? >>>>>>>> >>>>>>>> 'curl "https://server/realms/application/tokens/revoke?token=<token>' >>>>>>>> >>>>>>>> Sorry if i am missing sth would be glad if you point me to the right >>>>>>>> direction. >>>>>>>> >>>>>>>> Regards, >>>>>>>> Christos >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-dev mailing list >>>>>>>> keycloak-dev(a)lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-dev mailing list >>>>>>> keycloak-dev(a)lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>>> >>>>>> >>>> >>>> >>>> _______________________________________________ >>>> keycloak-dev mailing list >>>> keycloak-dev(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>> >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> _______________________________________________ >>> keycloak-dev mailing list >>> keycloak-dev(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com