[keycloak-user] keycloak access token caching?

Stian Thorgersen sthorger at redhat.com
Wed Jun 29 02:56:58 EDT 2016


I would recommend that you use the redirect based login though.

On 29 June 2016 at 08:56, Stian Thorgersen <sthorger at redhat.com> wrote:

> You need to do a post to that URL rather than a redirect/GET. It should
> include the param refresh_token with the value of the refresh token you
> retrieved from "../token".
>
> On 29 June 2016 at 08:35, Jannik Hüls <jannik.huels at googlemail.com> wrote:
>
>> What logout url do I have to call? After call I the
>> */auth/realms/{realm}/protocol/openid-connect/logout?redirect_uri= *endpoint
>> still the session is valid. (But removed in the admin console)
>>
>> On 28 Jun 2016, at 15:49, Stian Thorgersen <sthorger at redhat.com> wrote:
>>
>> Direct grant (tokens obtained directly
>> from /auth/realms/{realm}/protocol/openid-connect/token) results in a new
>> user session being created. This session is not tied to the browser session
>> in any way. To do that you should use the proper redirect based login.
>>
>> The token introspection endpoint returns that the token is still valid
>> after you've logged from the admin console because you have two separate
>> user sessions. To invalidate the token obtain directly from 'token'
>> endpoint you'd have to call logout on that separately.
>>
>> On 24 June 2016 at 10:08, Jannik Hüls <jannik.huels at googlemail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> I use the */auth/realms/{realm}/protocol/openid-connect/token*
>>> endpoint to create a User Session. The Session is shown inside keycloak and
>>> i get the access_token, refresh_token and id_token.
>>> When I now call the */auth/realms/{realm}/protocol/openid-connect/token/introspect
>>> *I get a valid response containing *“active”:”true” *amongst others. I
>>> call it using POST method and providing *cient_id*, *client_secret* and
>>> *token* parameter as data. The *token* parameter contains the
>>> *access_token* value.
>>>
>>> I now log in to keycloak administrator and logout the User. Now I again
>>> call the introspection endpoint but still get a response containing
>>> *"active":”true”*. It seems that keycloak is caching the User Session
>>> and after some time I get *“active”:”false”. *May I be able to disable
>>> caching and to immediately get a introspection response that indicates that
>>> the User Session does not longer exist?
>>>
>>> Btw.: The same happens when I call the */auth/realms/{realm}/protocol/openid-connect/logout?redirect_uri=
>>> *endpoint. I provided the *access_token* in the header. POST parameters
>>> are *client_id*, *client_secret* and *refresh_token* is this case.
>>>
>>> I use the introspection endpoint in the different RPs I use to validate
>>> whether the access_token is revoked in order to introduce single logout.
>>> Hence it would be nice to disable the caching to have less inconsistence.
>>>
>>> Bests
>>> Jannik
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/b9a76331/attachment.html 


More information about the keycloak-user mailing list