We don't have a token revocation endpoint yet. Same goes for regular access
tokens.
What you can do now is revoke user session / logout. I think someone is
working on a PR to support a revocation endpoint ...
On Tue, Jul 17, 2018 at 9:09 AM, stefan.wachter <stefan.wachter(a)bosch-si.com
wrote:
Hi,
I finally managed to setup a scenario where an RPT gives access to a
"user managed" resource that was created by the protection api
(
https://www.keycloak.org/docs/latest/authorization_
services/index.html#_service_protection_resources_api)
and that is protected by a permission / policy that was created using
the policy api
(
https://www.keycloak.org/docs/latest/authorization_
services/index.html#_service_authorization_uma_policy_api).
The policy checks the email by evaluating some JavaScript:
$evaluation.getContext().getIdentity().getAttributes().
getValue('email').asString(0).startsWith('$email')) $evaluation.grant()
After the resource and its accompanying policy is created by api calls
they appears on the "Keycloak Account Management" user interface in the
"My Resources" section. Access with a suitable RPT is granted. However,
when the permission / policy is revoked then the RPT that was issued
based on that policy remains "active". The RPT can even be refreshed!
What has to be done in order to revoke the RPT and/or its refresh token?
--
Best regards,
*Stefan Wachter
INST-ICM/BSV-BS*
Tel. +49(711)811-58477
*Be**QIK
*
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user