[keycloak-user] Logout via admin API causes offline token to go stale
Ritesh Garg
ritesh.garg at outlook.com
Thu May 31 12:08:04 EDT 2018
Any insights on this.
Thanks,
Ritesh
> On May 25, 2018, at 4:35 PM, Ritesh Garg <ritesh.garg at outlook.com> wrote:
>
> Hi,
>
> I have made an interesting observation with Keycloak 3.4.3. The offline token for a user is considered stale if the user sessions are logged out using Admin API. I have not checked if this happens when the user triggers logout *without* admin involvement. One thing to note here is that we have “revoke refresh token” enabled. Offline token validity is in days.
>
> Here are the steps I followed:
>
> 1. Generated an access token for a user using API.
>
> 2. Generated an offline token for the same user using API with scope as offline_access.
>
> 3. Generated an admin access token using the API.
>
> 4. Using admin token, triggered a logout on the user id with /users/{userid}/logout API.
>
> 5. Checked the web console to verify that the user sessions are gone but consents tab still has offline token.
>
> 6. Tried to get an access token using the offline token from step 2 with grant as refresh_token and got a stale token error.
>
> Is this expected?
>
> Thanks,
> Ritesh
More information about the keycloak-user
mailing list