[keycloak-user] revocation of permission / policy for user managed resource does not influence activeness issued RPT for that resource
Pedro Igor Silva
psilva at redhat.com
Tue Jul 17 10:07:12 EDT 2018
We don't have a token revocation endpoint yet. Same goes for regular access
tokens.
What you can do now is revoke user session / logout. I think someone is
working on a PR to support a revocation endpoint ...
On Tue, Jul 17, 2018 at 9:09 AM, stefan.wachter <stefan.wachter at bosch-si.com
> wrote:
> Hi,
>
> I finally managed to setup a scenario where an RPT gives access to a
> "user managed" resource that was created by the protection api
> (https://www.keycloak.org/docs/latest/authorization_
> services/index.html#_service_protection_resources_api)
> and that is protected by a permission / policy that was created using
> the policy api
> (https://www.keycloak.org/docs/latest/authorization_
> services/index.html#_service_authorization_uma_policy_api).
>
> The policy checks the email by evaluating some JavaScript:
>
> $evaluation.getContext().getIdentity().getAttributes().
> getValue('email').asString(0).startsWith('$email')) $evaluation.grant()
>
> After the resource and its accompanying policy is created by api calls
> they appears on the "Keycloak Account Management" user interface in the
> "My Resources" section. Access with a suitable RPT is granted. However,
> when the permission / policy is revoked then the RPT that was issued
> based on that policy remains "active". The RPT can even be refreshed!
>
> What has to be done in order to revoke the RPT and/or its refresh token?
>
> --
>
> Best regards,
>
> *Stefan Wachter
> INST-ICM/BSV-BS*
>
> Tel. +49(711)811-58477
>
> *Be**QIK
> *
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list