[keycloak-user] keycloak access token caching?

Stian Thorgersen sthorger at redhat.com
Wed Jun 29 02:56:16 EDT 2016


You need to do a post to that URL rather than a redirect/GET. It should
include the param refresh_token with the value of the refresh token you
retrieved from "../token".

On 29 June 2016 at 08:35, Jannik Hüls <jannik.huels at googlemail.com> wrote:

> What logout url do I have to call? After call I the
> */auth/realms/{realm}/protocol/openid-connect/logout?redirect_uri= *endpoint
> still the session is valid. (But removed in the admin console)
>
> On 28 Jun 2016, at 15:49, Stian Thorgersen <sthorger at redhat.com> wrote:
>
> Direct grant (tokens obtained directly
> from /auth/realms/{realm}/protocol/openid-connect/token) results in a new
> user session being created. This session is not tied to the browser session
> in any way. To do that you should use the proper redirect based login.
>
> The token introspection endpoint returns that the token is still valid
> after you've logged from the admin console because you have two separate
> user sessions. To invalidate the token obtain directly from 'token'
> endpoint you'd have to call logout on that separately.
>
> On 24 June 2016 at 10:08, Jannik Hüls <jannik.huels at googlemail.com> wrote:
>
>> Hi,
>>
>> I use the */auth/realms/{realm}/protocol/openid-connect/token*  endpoint
>> to create a User Session. The Session is shown inside keycloak and i get
>> the access_token, refresh_token and id_token.
>> When I now call the */auth/realms/{realm}/protocol/openid-connect/token/introspect
>> *I get a valid response containing *“active”:”true” *amongst others. I
>> call it using POST method and providing *cient_id*, *client_secret* and
>> *token* parameter as data. The *token* parameter contains the
>> *access_token* value.
>>
>> I now log in to keycloak administrator and logout the User. Now I again
>> call the introspection endpoint but still get a response containing
>> *"active":”true”*. It seems that keycloak is caching the User Session
>> and after some time I get *“active”:”false”. *May I be able to disable
>> caching and to immediately get a introspection response that indicates that
>> the User Session does not longer exist?
>>
>> Btw.: The same happens when I call the */auth/realms/{realm}/protocol/openid-connect/logout?redirect_uri=
>> *endpoint. I provided the *access_token* in the header. POST parameters
>> are *client_id*, *client_secret* and *refresh_token* is this case.
>>
>> I use the introspection endpoint in the different RPs I use to validate
>> whether the access_token is revoked in order to introduce single logout.
>> Hence it would be nice to disable the caching to have less inconsistence.
>>
>> Bests
>> Jannik
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/b29a95e1/attachment.html 


More information about the keycloak-user mailing list