6:56 a.m.
Hi,
I am wondering what should happen in second scenario below.
I have working SAML client and try to disable client in admin console in next two
scenarios:
First:
1. Disable client in admin console
2. Try to access client URL -> I am getting "Login requester not enabled". I
think this behavior is correct.
Second:
1. Login to client
2. Disable client in admin console
3. Nothing happens, secured resource is still available, even after some time.
Is it correct? Shouldn't keycloak forbid to refresh token or somehow restrict
accessing secured resource?
Thank you,
Michal Hajas.
9:29 a.m.
On 12/7/2015 7:56 AM, Michal Hajas wrote:
Hi,
I am wondering what should happen in second scenario below.
I have working SAML client and try to disable client in admin console in next two
scenarios:
First:
1. Disable client in admin console
2. Try to access client URL -> I am getting "Login requester not enabled". I
think this behavior is correct.
Second:
1. Login to client
2. Disable client in admin console
3. Nothing happens, secured resource is still available, even after some time.
Is it correct? Shouldn't keycloak forbid to refresh token or somehow restrict
accessing secured resource?
Good catch. Looks like when refresh token and/or the client-auth flow
was added, the check for disabled client was lost. Both in the logic
and in the testsuite.
https://issues.jboss.org/browse/KEYCLOAK-2204
FYI though, Keycloak does not broadcast disabled client events. We let
token timeouts and token refresh handle that.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10:02 a.m.
It seems that it works for OIDC clients. Just added a comment to
https://issues.jboss.org/browse/KEYCLOAK-2204
But note, this email is about SAML client. Not sure if SAML has
something like "refresh token" ?
I guess not, so once SAML client successfully login into application,
the authenticated session on application side is valid until HTTP
Session expired.
Marek
On 07/12/15 16:29, Bill Burke wrote:
On 12/7/2015 7:56 AM, Michal Hajas wrote:
> Hi,
>
> I am wondering what should happen in second scenario below.
>
> I have working SAML client and try to disable client in admin console in next two
scenarios:
>
> First:
> 1. Disable client in admin console
> 2. Try to access client URL -> I am getting "Login requester not
enabled". I think this behavior is correct.
>
> Second:
> 1. Login to client
> 2. Disable client in admin console
> 3. Nothing happens, secured resource is still available, even after some time.
>
> Is it correct? Shouldn't keycloak forbid to refresh token or somehow restrict
accessing secured resource?
>
Good catch. Looks like when refresh token and/or the client-auth flow
was added, the check for disabled client was lost. Both in the logic
and in the testsuite.
https://issues.jboss.org/browse/KEYCLOAK-2204
FYI though, Keycloak does not broadcast disabled client events. We let
token timeouts and token refresh handle that.
3684
days inactive
3684
days old
2 comments
3 participants
participants (3)
-
Bill Burke -
Marek Posolda -
Michal Hajas