Re: [keycloak-user] revocation of permission / policy for user managed resource does not influence activeness issued RPT for that resource

I'm also wondering if we should re-evaluate permissions when refreshing tokens. Right now, we just copy permissions to the new token ... On Tue, Jul 17, 2018 at 11:07 AM, Pedro Igor Silva <psilva(a)redhat.com&gt; wrote: > We don't have a token revocation endpoint yet. Same goes for regular > access tokens. > > What you can do now is revoke user session / logout. I think someone is > working on a PR to support a revocation endpoint ... > > > On Tue, Jul 17, 2018 at 9:09 AM, stefan.wachter < > stefan.wachter(a)bosch-si.com&gt; wrote: > >> Hi, >> >> I finally managed to setup a scenario where an RPT gives access to a >> "user managed" resource that was created by the protection api >> (https://www.keycloak.org/docs/latest/authorization_services >> /index.html#_service_protection_resources_api) >> and that is protected by a permission / policy that was created using >> the policy api >> (https://www.keycloak.org/docs/latest/authorization_services >> /index.html#_service_authorization_uma_policy_api). >> >> The policy checks the email by evaluating some JavaScript: >> >> $evaluation.getContext().getIdentity().getAttributes().getVa >> lue('email').asString(0).startsWith('$email')) $evaluation.grant() >> >> After the resource and its accompanying policy is created by api calls >> they appears on the "Keycloak Account Management" user interface in the >> "My Resources" section. Access with a suitable RPT is granted. However, >> when the permission / policy is revoked then the RPT that was issued >> based on that policy remains "active". The RPT can even be refreshed! >> >> What has to be done in order to revoke the RPT and/or its refresh token? >> >> -- >> >> Best regards, >> >> *Stefan Wachter >> INST-ICM/BSV-BS* >> >> Tel. +49(711)811-58477 >> >> *Be**QIK >> * >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user