[keycloak-user] Logout via admin API causes offline token to go stale

Ritesh Garg ritesh.garg at outlook.com
Fri May 25 16:35:01 EDT 2018


Hi,

I have made an interesting observation with Keycloak 3.4.3. The offline token for a user is considered stale if the user sessions are logged out using Admin API. I have not checked if this happens when the user triggers logout *without* admin involvement. One thing to note here is that we have “revoke refresh token” enabled. Offline token validity is in days.

Here are the steps I followed:

1. Generated an access token for a user using API.

2. Generated an offline token for the same user using API with scope as offline_access.

3. Generated an admin access token using the API.

4. Using admin token, triggered a logout on the user id with /users/{userid}/logout API.

5. Checked the web console to verify that the user sessions are gone but consents tab still has offline token.

6. Tried to get an access token using the offline token from step 2 with grant as refresh_token and got a stale token error.

Is this expected?

Thanks,
Ritesh



More information about the keycloak-user mailing list