Re: [keycloak-user] API to evict user cache

I am talking about this bug which clears offline tokens on Logout and becomes unusable. https://issues.jboss.org/browse/KEYCLOAK-8638?_sscc=t Shweta ------------------------------ *From:* Pedro Igor Silva <psilva(a)redhat.com&gt; *Sent:* Friday, July 26, 2019 8:02 AM *To:* Shetty, Shweta <Shweta.Shetty(a)Teradata.com&gt; *Cc:* keycloak-user(a)lists.jboss.org <keycloak-user(a)lists.jboss.org&gt; *Subject:* Re: [keycloak-user] API to evict user cache If the logout is started by a GET to logout endpoint you should still be able to refresh tokens. I think I'm not following your problem. On Fri, Jul 26, 2019 at 10:59 AM Shetty, Shweta < Shweta.Shetty(a)teradata.com&gt; wrote: I guess it was not clear why I need to evict a single user cache - I should have completed the previous email. Since the logout keycloak admin API - sets the 'notBefore' and makes the offline token STALE which we don't want. So what we are resorting is: 1) removing each active session individually 2)Update on the user to evict the user the from cache. (We need to do this because if a user has logged out we want him to cleanly log back in- (for example if he gets added to a new group when he logs back in he will get the new LDAP group else the cache will prevent it from happening) Shweta ------------------------------ *From:* Shetty, Shweta <Shweta.Shetty(a)Teradata.com&gt; *Sent:* Friday, July 26, 2019 6:50 AM *To:* Pedro Igor Silva <psilva(a)redhat.com&gt; *Cc:* keycloak-user(a)lists.jboss.org <keycloak-user(a)lists.jboss.org&gt; *Subject:* Re: [keycloak-user] API to evict user cache Thanks for your response Pedro. Yes, the updating of the user is helping in evicting the user cache, just tested. The reason we are resorting in this because: If we use the logout API of keycloak admin then Keycloak evicts the user from the cache in the same method that sets the `notBefore` field in the user. The setting of the 'notBefore' makes the offline tokens STALE which in my assumption should have been done - since the assumption is offline tokens should still be valid if a user has logged out? Am I wrong here? We use offline tokens for background jobs and these fail. What is the best approach for such jobs then? Shweta ------------------------------ *From:* Pedro Igor Silva <psilva(a)redhat.com&gt; *Sent:* Friday, July 26, 2019 5:00 AM *To:* Shetty, Shweta <Shweta.Shetty(a)Teradata.com&gt; *Cc:* keycloak-user(a)lists.jboss.org <keycloak-user(a)lists.jboss.org&gt; *Subject:* Re: [keycloak-user] API to evict user cache [External Email] ------------------------------ If you mean a single entry in the cache no. But you can clear all entries in user cache (see admin console). AFAIK, if you want to force a reload to a specific entry you could update some user info so that the entry is invalidated and eventually cached again. On Thu, Jul 25, 2019 at 4:15 PM Shetty, Shweta <Shweta.Shetty(a)teradata.com&gt; wrote: Is there an admin api to evict just a single user-cache ? Shweta _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user