Re: [keycloak-user] Session invalidation upon role changes?

Is there a built-in way to invalidate session upon role changes in IDP? I imagine the following scenario: - user logs in, mapper gives him role X. - user, using role x, gains access to some resource or application. - admin removes role X from user on IDP side. - user needs to be logged out after that, since he doesn't have access to this resource anymore. I've tried removing roles in Keycloak UI and it doesn't seem to invalidate the session by default. I know OIDC/SAML can store additional info in its tokens and we can probably use it to carry roles information in refresh tokens and check it on application side, but maybe there's already a way to do this with some Keycloak configuration? _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user