[keycloak-user] Is it possible to invalidate token in Spring Security Adapter

Tue Jul 2 10:27:58 EDT 2019

Hi,

More details here
https://www.keycloak.org/docs/latest/securing_apps/index.html#_token_introspection_endpoint
and
here https://tools.ietf.org/html/rfc7662#section-2.1. It is basically an
HTTP request to the introspection endpoint where you pass the token you
want to introspect and some credentials/bearer token so that the client
(your app) making the request can be authenticated.

On Tue, Jul 2, 2019 at 11:22 AM Ondrej Scerba <Ondrej.Scerba at zoomint.com>
wrote:

> Hi,
>
>
>
> Is there any example available, how can be remote introspection
> implemented with Keycloak Spring Security Adapter?
>
> Thanks,
> Ondrej
>
>
>
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Thursday, June 27, 2019 14:43
> *To:* Ondrej Scerba <Ondrej.Scerba at zoomint.com>
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Is it possible to invalidate token in
> Spring Security Adapter
>
>
>
> Hi,
>
>
>
> If you are using bearer tokens, the adapter only performs local validation
> based on a specific set of claims and signature. If you need to revoke
> tokens and propagate the revocation to your resource servers, you should
> consider introspecting the token using the token introspection endpoint.
>
>
>
> However, our adapters don't provide the support for choosing between
> local/remote introspection. Local introspection and validation are enough
> for most people but depending on your requirements/constraints you may want
> to use the introspection endpoint.
>
>
>
> Regards.
>
> Pedro Igor
>
>
>
> On Thu, Jun 27, 2019 at 8:51 AM Ondrej Scerba <Ondrej.Scerba at zoomint.com>
> wrote:
>
> Hi,
>
> Is it possible to invalidate token in "offline validator" in Spring
> Security Adapater?
>
> Thanks,
> Ondrej
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>