[keycloak-user] Session invalidation upon role changes?
Bill Burke
bburke at redhat.com
Thu Mar 16 14:44:47 EDT 2017
If the protocol you are using is OIDC, refreshing a token will fail if a
role issued to the original token has been revoked. There is no callback
though.
On 3/16/17 11:20 AM, Dmitry Korchemkin wrote:
> Is there a built-in way to invalidate session upon role changes in IDP?
>
> I imagine the following scenario:
> - user logs in, mapper gives him role X.
> - user, using role x, gains access to some resource or application.
> - admin removes role X from user on IDP side.
> - user needs to be logged out after that, since he doesn't have access to
> this resource anymore.
>
> I've tried removing roles in Keycloak UI and it doesn't seem to invalidate
> the session by default.
>
> I know OIDC/SAML can store additional info in its tokens and we can
> probably use it to carry roles information in refresh tokens and check it
> on application side, but maybe there's already a way to do this with some
> Keycloak configuration?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list