[keycloak-user] revocation of permission / policy for user managed resource does not influence activeness issued RPT for that resource

Stefan Wachter stefan.wachter at gmx.de
Tue Jul 17 15:47:35 EDT 2018 

I think that re-evaluation of permissions on refresh would be an 
important improvement. If I had a choice between a revocation endpoint 
and a re-evaluation on refresh behaviour I would clearly prefer the 
re-evaluation on refresh behaviour.


On 17.07.2018 17:27, Pedro Igor Silva wrote:
> I'm also wondering if we should re-evaluate permissions when refreshing
> tokens. Right now, we just copy permissions to the new token ...
>
> On Tue, Jul 17, 2018 at 11:07 AM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> We don't have a token revocation endpoint yet. Same goes for regular
>> access tokens.
>>
>> What you can do now is revoke user session / logout. I think someone is
>> working on a PR to support a revocation endpoint ...
>>
>>
>> On Tue, Jul 17, 2018 at 9:09 AM, stefan.wachter <
>> stefan.wachter at bosch-si.com> wrote:
>>
>>> Hi,
>>>
>>> I finally managed to setup a scenario where an RPT gives access to a
>>> "user managed" resource that was created by the protection api
>>> (https://www.keycloak.org/docs/latest/authorization_services
>>> /index.html#_service_protection_resources_api)
>>> and that is protected by a permission / policy that was created using
>>> the policy api
>>> (https://www.keycloak.org/docs/latest/authorization_services
>>> /index.html#_service_authorization_uma_policy_api).
>>>
>>> The policy checks the email by evaluating some JavaScript:
>>>
>>> $evaluation.getContext().getIdentity().getAttributes().getVa
>>> lue('email').asString(0).startsWith('$email')) $evaluation.grant()
>>>
>>> After the resource and its accompanying policy is created by api calls
>>> they appears on the "Keycloak Account Management" user interface in the
>>> "My Resources" section. Access with a suitable RPT is granted. However,
>>> when the permission / policy is revoked then the RPT that was issued
>>> based on that policy remains "active". The RPT can even be refreshed!
>>>
>>> What has to be done in order to revoke the RPT and/or its refresh token?
>>>
>>> --
>>>
>>> Best regards,
>>>
>>> *Stefan Wachter
>>> INST-ICM/BSV-BS*
>>>
>>> Tel.  +49(711)811-58477
>>>
>>> *Be**QIK
>>> *
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list