4:24 a.m.
Best practise is to have offline token per user per app.
In the realm setting, you can limit the number of refresh/offline tokens
(by default one, when the this flag is activated)
It is also up to the user to manage/store the current token in user for
a specific app.
Like this, you only have an handful of refresh/offline tokens to deal
with (also one per device).
Regards,
Olivier
Le 11/09/2019 à 11:18, Przemek Bielicki a écrit :
That would make sense for me if we could only have one offline token
per user per client.
If Keycloak allows to have multiple, why can't we revoke one by one? I
assume it's just a missing feature.
Przemek
On Wed, Sep 11, 2019 at 11:05 AM Rivat Olivier <orivat(a)janua.fr
<mailto:orivat@janua.fr>> wrote:
Well, OfflineTokens are jwt tokens. So they always exist in the
context of a user and application.
Hence a token is always tied to this tuple (user/client) context.
Revoking single token implies to delete on a per user basis.
Regards,
Olivier
Le 11/09/2019 à 11:00, Przemek Bielicki a écrit :
> Hi,
>
> afaik it's only possible to revoke all for given user / client:
> DELETE
>
http://localhost:5081/keycloak/admin/realms/{realm}/users/{userId}/consen...
>
<http://localhost:5081/keycloak/admin/realms/%7Brealm%7D/users/%7BuserId%7...
>
> I could not find REST API do revoke single tokens. Does it exist?
>
> Cheers,
> Przemek
>
> On Wed, Sep 11, 2019 at 10:29 AM Rivat Olivier <orivat(a)janua.fr
> <mailto:orivat@janua.fr>> wrote:
>
> Hi,
>
> Have a look at following blog. With the admin UI or Self
> self-service
> you easily revoke offLine Sessions.
> http://www.janua.fr/offline-sessions-and-offline-tokens-within-keycloak/
>
> You should also be able to do it with REST API, but I haven't
> had time
> to describe it.
>
> Regards,
> Olivier Rivat
>
>
> Le 11/09/2019 à 10:19, Przemek Bielicki a écrit :
> > Hi,
> >
> > is it possible to revoke single offline token? How?
> > If not, do you consider adding such feature?
> > If not, why? Is there any specific reason why it's not
> possible to revoke
> > offline tokens one by one?
> >
> > Thanks,
> > Przemek Bielicki
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>