[keycloak-user] Session Logout with Offline Access Token
Benjamin Zaitlen
quasiben at gmail.com
Fri Mar 24 17:20:13 EDT 2017
Hi All,
I'm having some trouble with sessions, clients, and offline access tokens.
Let's say I have a client (APP 1) and I've logged in with OIDC. I now have
a refresh_token and session for APP 1. Using the auth code flow I can
generate an offline_access token (refresh_token) for a second client: APP
2. When I look in *realms/myrealm/account/sessions, *I see one session
but two clients. At first I thought, great! I was able to get the auth
code flow working and I generated a refresh token for a second client.
But then disaster set in, when I logged out of the APP 1 client with the
URL: *protocol/openid-connect/logout.* I was logged out the session which
included the* second client* and thus the offline access token for APP 2
was effectively revoked.
I've seen a handful of JIRAs related to offline access tokens and logouts
but I think they don't quite cover this usecase. I have two questions:
1. Is it possible, using the auth code flow, to generate a refresh token in
separate session. That is can APP 1 generate an offline_access token for
APP 2 in a separate session without re-authenticating?
2. Can I logout a specific client for a session by passing additional
parameters in the logout URL ?
Thanks,
--Ben
More information about the keycloak-user
mailing list