[keycloak-user] keycloak access token caching?

Stian Thorgersen sthorger at redhat.com
Tue Jun 28 09:49:46 EDT 2016


Direct grant (tokens obtained directly
from /auth/realms/{realm}/protocol/openid-connect/token) results in a new
user session being created. This session is not tied to the browser session
in any way. To do that you should use the proper redirect based login.

The token introspection endpoint returns that the token is still valid
after you've logged from the admin console because you have two separate
user sessions. To invalidate the token obtain directly from 'token'
endpoint you'd have to call logout on that separately.

On 24 June 2016 at 10:08, Jannik Hüls <jannik.huels at googlemail.com> wrote:

> Hi,
>
> I use the */auth/realms/{realm}/protocol/openid-connect/token*  endpoint
> to create a User Session. The Session is shown inside keycloak and i get
> the access_token, refresh_token and id_token.
> When I now call the */auth/realms/{realm}/protocol/openid-connect/token/introspect
> *I get a valid response containing *“active”:”true” *amongst others. I
> call it using POST method and providing *cient_id*, *client_secret* and
> *token* parameter as data. The *token* parameter contains the
> *access_token* value.
>
> I now log in to keycloak administrator and logout the User. Now I again
> call the introspection endpoint but still get a response containing
> *"active":”true”*. It seems that keycloak is caching the User Session and
> after some time I get *“active”:”false”. *May I be able to disable
> caching and to immediately get a introspection response that indicates that
> the User Session does not longer exist?
>
> Btw.: The same happens when I call the */auth/realms/{realm}/protocol/openid-connect/logout?redirect_uri=
> *endpoint. I provided the *access_token* in the header. POST parameters
> are *client_id*, *client_secret* and *refresh_token* is this case.
>
> I use the introspection endpoint in the different RPs I use to validate
> whether the access_token is revoked in order to introduce single logout.
> Hence it would be nice to disable the caching to have less inconsistence.
>
> Bests
> Jannik
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/60e2233e/attachment-0001.html 


More information about the keycloak-user mailing list