[keycloak-user] Session Logout with Offline Access Token

Benjamin Zaitlen quasiben at gmail.com
Wed Mar 29 07:43:15 EDT 2017


Any thoughts on this?

--Ben

On Fri, Mar 24, 2017 at 5:20 PM, Benjamin Zaitlen <quasiben at gmail.com>
wrote:

> Hi All,
>
> I'm having some trouble with sessions, clients, and offline access
> tokens.  Let's say I have a client (APP 1) and I've logged in with OIDC.  I
> now have a refresh_token and session for APP 1. Using the auth code flow I
> can generate an offline_access token (refresh_token) for a second client:
> APP 2.   When I look in *realms/myrealm/account/sessions, *I see one
> session but two clients.  At first I thought, great!  I was able to get the
> auth code flow working and I generated a refresh token for a second client.
>
> But then disaster set in, when I logged out of the APP 1 client with the
> URL: *protocol/openid-connect/logout.* I was logged out the session which
> included the* second client* and thus the offline access token for APP 2
> was effectively revoked.
>
> I've seen a handful of JIRAs related to offline access tokens and logouts
> but I think they don't quite cover this usecase. I have two questions:
>
> 1. Is it possible, using the auth code flow, to generate a refresh token
> in separate session. That is can APP 1 generate an offline_access token for
> APP 2 in a separate session without re-authenticating?
>
> 2. Can I logout a specific client for a session by passing additional
> parameters in the logout URL ?
>
> Thanks,
> --Ben
>


More information about the keycloak-user mailing list