[keycloak-user] Session invalidation upon role changes?

Dmitry Korchemkin moon3854 at gmail.com
Fri Mar 17 07:03:47 EDT 2017


Can you elaborate on the "refreshing a token will fail if a
role issued to the original token has been revoked" part please? As far as
i understand, issuing a new token with a role revoked will just give the
user new token. Why should it fail?

We have a following scenario: frontend, backend and IdP. Frontend sends a
request with OIDC token to backend. How will backend know if the list of
roles in the token is not up-to-date?

We expect that keycloak will monitor user changes. If a change affects
information in OIDC token then the token must be treated as invalid and
there should be an endpoint to check token validity.

2017-03-16 21:44 GMT+03:00 Bill Burke <bburke at redhat.com>:

> If the protocol you are using is OIDC, refreshing a token will fail if a
> role issued to the original token has been revoked. There is no callback
> though.
>
>
> On 3/16/17 11:20 AM, Dmitry Korchemkin wrote:
> > Is there a built-in way to invalidate session upon role changes in IDP?
> >
> > I imagine the following scenario:
> > - user logs in, mapper gives him role X.
> > - user, using role x, gains access to some resource or application.
> > - admin removes role X from user on IDP side.
> > - user needs to be logged out after that, since he doesn't have access to
> > this resource anymore.
> >
> > I've tried removing roles in Keycloak UI and it doesn't seem to
> invalidate
> > the session by default.
> >
> > I know OIDC/SAML can store additional info in its tokens and we can
> > probably use it to carry roles information in refresh tokens and check it
> > on application side, but maybe there's already a way to do this with some
> > Keycloak configuration?
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list