[keycloak-dev] Disabling SAML client
Marek Posolda
mposolda at redhat.com
Mon Dec 7 11:02:17 EST 2015
It seems that it works for OIDC clients. Just added a comment to
https://issues.jboss.org/browse/KEYCLOAK-2204
But note, this email is about SAML client. Not sure if SAML has
something like "refresh token" ?
I guess not, so once SAML client successfully login into application,
the authenticated session on application side is valid until HTTP
Session expired.
Marek
On 07/12/15 16:29, Bill Burke wrote:
>
> On 12/7/2015 7:56 AM, Michal Hajas wrote:
>> Hi,
>>
>> I am wondering what should happen in second scenario below.
>>
>> I have working SAML client and try to disable client in admin console in next two scenarios:
>>
>> First:
>> 1. Disable client in admin console
>> 2. Try to access client URL -> I am getting "Login requester not enabled". I think this behavior is correct.
>>
>> Second:
>> 1. Login to client
>> 2. Disable client in admin console
>> 3. Nothing happens, secured resource is still available, even after some time.
>>
>> Is it correct? Shouldn't keycloak forbid to refresh token or somehow restrict accessing secured resource?
>>
> Good catch. Looks like when refresh token and/or the client-auth flow
> was added, the check for disabled client was lost. Both in the logic
> and in the testsuite.
>
> https://issues.jboss.org/browse/KEYCLOAK-2204
>
> FYI though, Keycloak does not broadcast disabled client events. We let
> token timeouts and token refresh handle that.
>
More information about the keycloak-dev
mailing list