8:02 a.m.
Hi,
The command to revoke tokens is
Revoke consent and offline tokens for particular client from user
DELETE /{realm}/users/{id}/consents/{client}
The main point to bear in mind is the control of offlineSessions.
This can be achieved with offline access token.
Normally, you shall be able to used it once to acquire a further a
offline Session.
Also, most important is that the offlineSession gets revoked from the
user (For example in case his mobile phone is stolen)
(there is a screenshot how to doing it in my blog mentioned previously).
At this stage, any further discussion is really application context
specific, and would require a much in depth analysis of your project.
Regards,
Olivier Rivat
Le 11/09/2019 à 12:40, Przemek Bielicki a écrit :
> In the realm setting, you can limit the number of
refresh/offline
tokens (by default one, when the this flag is activated)
image.png
I think you're referring to this setting?
In fact it's not limiting number of offline tokens but number of times
it can be used (refreshed) to obtain access token.
With this setting enabled I'm still able to generate gazillion of
offline tokens, but then our app should be able to limit this gracefully:
image.png
We just need to make sure we don't create more than one offline token
on Keycloak side, then. It's a pity there is no way Keycloak can limit
this.
Cheers,
Przemek
On Wed, Sep 11, 2019 at 11:24 AM Rivat Olivier <orivat(a)janua.fr
<mailto:orivat@janua.fr>> wrote:
Best practise is to have offline token per user per app.
In the realm setting, you can limit the number of refresh/offline
tokens (by default one, when the this flag is activated)
It is also up to the user to manage/store the current token in
user for a specific app.
Like this, you only have an handful of refresh/offline tokens to
deal with (also one per device).
Regards,
Olivier
Le 11/09/2019 à 11:18, Przemek Bielicki a écrit :
> That would make sense for me if we could only have one offline
> token per user per client.
> If Keycloak allows to have multiple, why can't we revoke one by
> one? I assume it's just a missing feature.
>
> Przemek
>
> On Wed, Sep 11, 2019 at 11:05 AM Rivat Olivier <orivat(a)janua.fr
> <mailto:orivat@janua.fr>> wrote:
>
> Well, OfflineTokens are jwt tokens. So they always exist in
> the context of a user and application.
> Hence a token is always tied to this tuple (user/client) context.
>
> Revoking single token implies to delete on a per user basis.
>
> Regards,
>
> Olivier
>
>
> Le 11/09/2019 à 11:00, Przemek Bielicki a écrit :
>> Hi,
>>
>> afaik it's only possible to revoke all for given user /
>> client: DELETE
>>
http://localhost:5081/keycloak/admin/realms/{realm}/users/{userId}/consen...
>>
<http://localhost:5081/keycloak/admin/realms/%7Brealm%7D/users/%7BuserId%7...
>>
>> I could not find REST API do revoke single tokens. Does it
>> exist?
>>
>> Cheers,
>> Przemek
>>
>> On Wed, Sep 11, 2019 at 10:29 AM Rivat Olivier
>> <orivat(a)janua.fr <mailto:orivat@janua.fr>> wrote:
>>
>> Hi,
>>
>> Have a look at following blog. With the admin UI or Self
>> self-service
>> you easily revoke offLine Sessions.
>>
http://www.janua.fr/offline-sessions-and-offline-tokens-within-keycloak/
>>
>> You should also be able to do it with REST API, but I
>> haven't had time
>> to describe it.
>>
>> Regards,
>> Olivier Rivat
>>
>>
>> Le 11/09/2019 à 10:19, Przemek Bielicki a écrit :
>> > Hi,
>> >
>> > is it possible to revoke single offline token? How?
>> > If not, do you consider adding such feature?
>> > If not, why? Is there any specific reason why it's not
>> possible to revoke
>> > offline tokens one by one?
>> >
>> > Thanks,
>> > Przemek Bielicki
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user(a)lists.jboss.org
>> <mailto:keycloak-user@lists.jboss.org>
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> <mailto:keycloak-user@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>