[keycloak-dev] Remove TokenManager.verifyAccess method?

Stian Thorgersen sthorger at redhat.com
Mon Nov 26 02:44:44 EST 2018


+1

On Wed, 14 Nov 2018 at 09:09, Marek Posolda <mposolda at redhat.com> wrote:

> Right now, during each token refresh, we're verifying if the newly
> refreshed access token still contains all the roles, which were present
> in the refresh token. If not, the refresh token is rejected.
>
> I wonder if this check can be removed? This will also allow us to remove
> the roles (realm_access and resource_access claims) from the refresh
> token. Anyone knows a reason if this check can't be removed?
>
> I think the reason why this check was originally added is due the
> consent. Previously we did not have clientScopes and the consents on the
> consent screen were represented by individual roles and protocolMappers.
> However with clientScopes, this seem to be obsolete IMO.
>
> During token refresh, we should check that consents represented by
> clientScopes in the refresh token were not revoked by the user (or
> admin). If they were rejected, the refresh token should be rejected.
> We're doing this. However if some individual role was removed from the
> user (or from the role scope mappings), I don't see an issue with
> successfully refresh token and just ensure that the revoked role is not
> in the new token anymore.
>
> WDYT?
>
> Marek
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


More information about the keycloak-dev mailing list