[keycloak-user] Exception after changing roles

Stian Thorgersen stian at redhat.com
Thu Aug 20 03:18:09 EDT 2015


+1 We should just update the access token with new details and roles

Not sure if this is really an issue, but would there be a case where an application caches the claims in the token? I don't think there is, but if we do update the token we should make it 100% clear in the docs that this will happen.

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 20 August, 2015 3:25:36 AM
> Subject: Re: [keycloak-user] Exception after changing roles
> 
> If you remove a role mapping that the old token has, the refresh token
> becomes invalid.  We should probably rethink that a little and only
> throw an error if consent from the user is required.
> 
> On 8/19/2015 10:33 AM, Thomas Raehalme wrote:
> > Hi,
> >
> > I have been doing some experiments with Keycloak and encountered a problem:
> >
> > If a user is logged in and her client role mappings are changed in the
> > admin UI, why is an exception thrown "User no long has permission for
> > client role OLD_ROLE" when the token expires and the refresh token is
> > used to acquire a new one?
> >
> > I was expecting the new token to contain the new set of roles, but
> > instead got this error.
> >
> > Thanks for your help!
> >
> > Best regards,
> > Thomas
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 


More information about the keycloak-user mailing list