I guess it was not clear why I need to evict a single user cache - I should have completed
the previous email.
Since the logout keycloak admin API - sets the 'notBefore' and makes the offline
token STALE which we don't want. So what we are resorting is:
1) removing each active session individually
2)Update on the user to evict the user the from cache. (We need to do this because if a
user has logged out we want him to cleanly log back in- (for example if he gets added to a
new group when he logs back in he will get the new LDAP group else the cache will prevent
it from happening)
Shweta
________________________________
From: Shetty, Shweta <Shweta.Shetty(a)Teradata.com>
Sent: Friday, July 26, 2019 6:50 AM
To: Pedro Igor Silva <psilva(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] API to evict user cache
Thanks for your response Pedro. Yes, the updating of the user is helping in evicting the
user cache, just tested.
The reason we are resorting in this because: If we use the logout API of keycloak admin
then Keycloak evicts the user from the cache in the same method that sets the `notBefore`
field in the user. The setting of the 'notBefore' makes the offline tokens STALE
which in my assumption should have been done - since the assumption is offline tokens
should still be valid if a user has logged out? Am I wrong here? We use offline tokens for
background jobs and these fail. What is the best approach for such jobs then?
Shweta
________________________________
From: Pedro Igor Silva <psilva(a)redhat.com>
Sent: Friday, July 26, 2019 5:00 AM
To: Shetty, Shweta <Shweta.Shetty(a)Teradata.com>
Cc: keycloak-user(a)lists.jboss.org <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] API to evict user cache
[External Email]
________________________________
If you mean a single entry in the cache no. But you can clear all entries in user cache
(see admin console).
AFAIK, if you want to force a reload to a specific entry you could update some user info
so that the entry is invalidated and eventually cached again.
On Thu, Jul 25, 2019 at 4:15 PM Shetty, Shweta
<Shweta.Shetty@teradata.com<mailto:Shweta.Shetty@teradata.com>> wrote:
Is there an admin api to evict just a single user-cache ?
Shweta
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user