9:33 a.m.
Hi,
I have been doing some experiments with Keycloak and encountered a problem:
If a user is logged in and her client role mappings are changed in the
admin UI, why is an exception thrown "User no long has permission for
client role OLD_ROLE" when the token expires and the refresh token is used
to acquire a new one?
I was expecting the new token to contain the new set of roles, but instead
got this error.
Thanks for your help!
Best regards,
Thomas
1:10 p.m.
Hi,
On Wed, Aug 19, 2015 at 5:33 PM, Thomas Raehalme <
thomas.raehalme(a)aitiofinland.com> wrote:
If a user is logged in and her client role mappings are changed in
the
admin UI, why is an exception thrown "User no long has permission for
client role OLD_ROLE" when the token expires and the refresh token is used
to acquire a new one?
I was expecting the new token to contain the new set of roles, but instead
got this error.
Redirecting the user to the Keycloak login seems to fix this issue.
Best regards,
Thomas
8:25 p.m.
If you remove a role mapping that the old token has, the refresh token
becomes invalid. We should probably rethink that a little and only
throw an error if consent from the user is required.
On 8/19/2015 10:33 AM, Thomas Raehalme wrote:
Hi,
I have been doing some experiments with Keycloak and encountered a problem:
If a user is logged in and her client role mappings are changed in the
admin UI, why is an exception thrown "User no long has permission for
client role OLD_ROLE" when the token expires and the refresh token is
used to acquire a new one?
I was expecting the new token to contain the new set of roles, but
instead got this error.
Thanks for your help!
Best regards,
Thomas
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
2:18 a.m.
+1 We should just update the access token with new details and roles
Not sure if this is really an issue, but would there be a case where an application caches
the claims in the token? I don't think there is, but if we do update the token we
should make it 100% clear in the docs that this will happen.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-user(a)lists.jboss.org
Sent: Thursday, 20 August, 2015 3:25:36 AM
Subject: Re: [keycloak-user] Exception after changing roles
If you remove a role mapping that the old token has, the refresh token
becomes invalid. We should probably rethink that a little and only
throw an error if consent from the user is required.
On 8/19/2015 10:33 AM, Thomas Raehalme wrote:
> Hi,
>
> I have been doing some experiments with Keycloak and encountered a problem:
>
> If a user is logged in and her client role mappings are changed in the
> admin UI, why is an exception thrown "User no long has permission for
> client role OLD_ROLE" when the token expires and the refresh token is
> used to acquire a new one?
>
> I was expecting the new token to contain the new set of roles, but
> instead got this error.
>
> Thanks for your help!
>
> Best regards,
> Thomas
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:18 a.m.
On 8/20/2015 3:18 AM, Stian Thorgersen wrote:
+1 We should just update the access token with new details and roles
Not sure if this is really an issue, but would there be a case where an application
caches the claims in the token? I don't think there is, but if we do update the token
we should make it 100% clear in the docs that this will happen.
The problem is consent. If a client requires consent, you can't add new
details to the token without that consent. Looks like we don't check
for that, we should.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:23 a.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org
Sent: Thursday, 20 August, 2015 4:18:24 PM
Subject: Re: [keycloak-user] Exception after changing roles
On 8/20/2015 3:18 AM, Stian Thorgersen wrote:
> +1 We should just update the access token with new details and roles
>
> Not sure if this is really an issue, but would there be a case where an
> application caches the claims in the token? I don't think there is, but if
> we do update the token we should make it 100% clear in the docs that this
> will happen.
>
The problem is consent. If a client requires consent, you can't add new
details to the token without that consent. Looks like we don't check
for that, we should.
I would say new token should contain the details the users has + what details the clients
is permitted to, and when we can't ask for user consent that equates to the client not
being permitted.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3416
days inactive
3417
days old
5 comments
3 participants
participants (3)
-
Bill Burke -
Stian Thorgersen -
Thomas Raehalme