[keycloak-user] revocation of permission / policy for user managed resource does not influence activeness issued RPT for that resource
Pedro Igor Silva
psilva at redhat.com
Tue Jul 17 11:27:54 EDT 2018
I'm also wondering if we should re-evaluate permissions when refreshing
tokens. Right now, we just copy permissions to the new token ...
On Tue, Jul 17, 2018 at 11:07 AM, Pedro Igor Silva <psilva at redhat.com>
wrote:
> We don't have a token revocation endpoint yet. Same goes for regular
> access tokens.
>
> What you can do now is revoke user session / logout. I think someone is
> working on a PR to support a revocation endpoint ...
>
>
> On Tue, Jul 17, 2018 at 9:09 AM, stefan.wachter <
> stefan.wachter at bosch-si.com> wrote:
>
>> Hi,
>>
>> I finally managed to setup a scenario where an RPT gives access to a
>> "user managed" resource that was created by the protection api
>> (https://www.keycloak.org/docs/latest/authorization_services
>> /index.html#_service_protection_resources_api)
>> and that is protected by a permission / policy that was created using
>> the policy api
>> (https://www.keycloak.org/docs/latest/authorization_services
>> /index.html#_service_authorization_uma_policy_api).
>>
>> The policy checks the email by evaluating some JavaScript:
>>
>> $evaluation.getContext().getIdentity().getAttributes().getVa
>> lue('email').asString(0).startsWith('$email')) $evaluation.grant()
>>
>> After the resource and its accompanying policy is created by api calls
>> they appears on the "Keycloak Account Management" user interface in the
>> "My Resources" section. Access with a suitable RPT is granted. However,
>> when the permission / policy is revoked then the RPT that was issued
>> based on that policy remains "active". The RPT can even be refreshed!
>>
>> What has to be done in order to revoke the RPT and/or its refresh token?
>>
>> --
>>
>> Best regards,
>>
>> *Stefan Wachter
>> INST-ICM/BSV-BS*
>>
>> Tel. +49(711)811-58477
>>
>> *Be**QIK
>> *
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
More information about the keycloak-user
mailing list