10:20 a.m.
Is there a built-in way to invalidate session upon role changes in IDP?
I imagine the following scenario:
- user logs in, mapper gives him role X.
- user, using role x, gains access to some resource or application.
- admin removes role X from user on IDP side.
- user needs to be logged out after that, since he doesn't have access to
this resource anymore.
I've tried removing roles in Keycloak UI and it doesn't seem to invalidate
the session by default.
I know OIDC/SAML can store additional info in its tokens and we can
probably use it to carry roles information in refresh tokens and check it
on application side, but maybe there's already a way to do this with some
Keycloak configuration?
1:44 p.m.
If the protocol you are using is OIDC, refreshing a token will fail if a
role issued to the original token has been revoked. There is no callback
though.
On 3/16/17 11:20 AM, Dmitry Korchemkin wrote:
Is there a built-in way to invalidate session upon role changes in
IDP?
I imagine the following scenario:
- user logs in, mapper gives him role X.
- user, using role x, gains access to some resource or application.
- admin removes role X from user on IDP side.
- user needs to be logged out after that, since he doesn't have access to
this resource anymore.
I've tried removing roles in Keycloak UI and it doesn't seem to invalidate
the session by default.
I know OIDC/SAML can store additional info in its tokens and we can
probably use it to carry roles information in refresh tokens and check it
on application side, but maybe there's already a way to do this with some
Keycloak configuration?
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
6:03 a.m.
Can you elaborate on the "refreshing a token will fail if a
role issued to the original token has been revoked" part please? As far as
i understand, issuing a new token with a role revoked will just give the
user new token. Why should it fail?
We have a following scenario: frontend, backend and IdP. Frontend sends a
request with OIDC token to backend. How will backend know if the list of
roles in the token is not up-to-date?
We expect that keycloak will monitor user changes. If a change affects
information in OIDC token then the token must be treated as invalid and
there should be an endpoint to check token validity.
2017-03-16 21:44 GMT+03:00 Bill Burke <bburke(a)redhat.com>:
If the protocol you are using is OIDC, refreshing a token will fail
if a
role issued to the original token has been revoked. There is no callback
though.
On 3/16/17 11:20 AM, Dmitry Korchemkin wrote:
> Is there a built-in way to invalidate session upon role changes in IDP?
>
> I imagine the following scenario:
> - user logs in, mapper gives him role X.
> - user, using role x, gains access to some resource or application.
> - admin removes role X from user on IDP side.
> - user needs to be logged out after that, since he doesn't have access to
> this resource anymore.
>
> I've tried removing roles in Keycloak UI and it doesn't seem to
invalidate
> the session by default.
>
> I know OIDC/SAML can store additional info in its tokens and we can
> probably use it to carry roles information in refresh tokens and check it
> on application side, but maybe there's already a way to do this with some
> Keycloak configuration?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2841
days inactive
2842
days old
2 comments
2 participants
participants (2)
-
Bill Burke -
Dmitry Korchemkin