Pedro can confirm but if I'm not wrong an RPT is like any other access
token and will be valid until it expired (5 minutes by default). Especially
with an RPT where the verification can be completely made offline. You can
push a "not before" from the console to invalidate immediatly the token.
On Fri, Jul 5, 2019 at 2:09 PM Rivat Olivier <orivat(a)janua.fr> wrote:
Hi,
I have the following use case
1) alice is creating some resouces (a5 for example)
2) jdoe is asking to access a5
3) alice approves request for Jdoe to access a5
4) Jdoe is getting an rpt token and now can access to a5 (so far so good)
5) Alice is revoking Jdoe access right for a5
6) RPT token of Jdoe is still valid (it has no yet expired)
---> Joe can access to alice a5 resource without any problem
For me it sounds like a bug. I was expecting Jdoe no longer being able
to access alice A5 resource (after revokation from alice).
Do you conform my understanding, or is this the normal expected behavior ?
Regards,
Olivier
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user