I think that re-evaluation of permissions on refresh would be an
important improvement. If I had a choice between a revocation endpoint
and a re-evaluation on refresh behaviour I would clearly prefer the
re-evaluation on refresh behaviour.
On 17.07.2018 17:27, Pedro Igor Silva wrote:
I'm also wondering if we should re-evaluate permissions when
refreshing
tokens. Right now, we just copy permissions to the new token ...
On Tue, Jul 17, 2018 at 11:07 AM, Pedro Igor Silva <psilva(a)redhat.com>
wrote:
> We don't have a token revocation endpoint yet. Same goes for regular
> access tokens.
>
> What you can do now is revoke user session / logout. I think someone is
> working on a PR to support a revocation endpoint ...
>
>
> On Tue, Jul 17, 2018 at 9:09 AM, stefan.wachter <
> stefan.wachter(a)bosch-si.com> wrote:
>
>> Hi,
>>
>> I finally managed to setup a scenario where an RPT gives access to a
>> "user managed" resource that was created by the protection api
>> (
https://www.keycloak.org/docs/latest/authorization_services
>> /index.html#_service_protection_resources_api)
>> and that is protected by a permission / policy that was created using
>> the policy api
>> (
https://www.keycloak.org/docs/latest/authorization_services
>> /index.html#_service_authorization_uma_policy_api).
>>
>> The policy checks the email by evaluating some JavaScript:
>>
>> $evaluation.getContext().getIdentity().getAttributes().getVa
>> lue('email').asString(0).startsWith('$email'))
$evaluation.grant()
>>
>> After the resource and its accompanying policy is created by api calls
>> they appears on the "Keycloak Account Management" user interface in
the
>> "My Resources" section. Access with a suitable RPT is granted.
However,
>> when the permission / policy is revoked then the RPT that was issued
>> based on that policy remains "active". The RPT can even be refreshed!
>>
>> What has to be done in order to revoke the RPT and/or its refresh token?
>>
>> --
>>
>> Best regards,
>>
>> *Stefan Wachter
>> INST-ICM/BSV-BS*
>>
>> Tel. +49(711)811-58477
>>
>> *Be**QIK
>> *
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user