[keycloak-user] revocation of permission / policy for user managed resource does not influence activeness issued RPT for that resource
stefan.wachter
stefan.wachter at bosch-si.com
Tue Jul 17 08:09:58 EDT 2018
Hi,
I finally managed to setup a scenario where an RPT gives access to a
"user managed" resource that was created by the protection api
(https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_protection_resources_api)
and that is protected by a permission / policy that was created using
the policy api
(https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_authorization_uma_policy_api).
The policy checks the email by evaluating some JavaScript:
$evaluation.getContext().getIdentity().getAttributes().getValue('email').asString(0).startsWith('$email')) $evaluation.grant()
After the resource and its accompanying policy is created by api calls
they appears on the "Keycloak Account Management" user interface in the
"My Resources" section. Access with a suitable RPT is granted. However,
when the permission / policy is revoked then the RPT that was issued
based on that policy remains "active". The RPT can even be refreshed!
What has to be done in order to revoke the RPT and/or its refresh token?
--
Best regards,
*Stefan Wachter
INST-ICM/BSV-BS*
Tel. +49(711)811-58477
*Be**QIK
*
More information about the keycloak-user
mailing list