[keycloak-user] RPT tokens can still be used after approval revokation

Rivat Olivier orivat at janua.fr
Fri Jul 5 07:40:18 EDT 2019


Hi,

I have the following use case

1) alice is creating some resouces (a5 for example)
2) jdoe is asking to access a5
3) alice approves request for Jdoe to access a5
4) Jdoe is getting an rpt token and now can access to a5 (so far so good)
5) Alice is revoking Jdoe access right for a5

6) RPT token of Jdoe is still valid (it has no yet expired)
---> Joe can access to alice a5 resource without any problem

For me it sounds like a bug. I was expecting Jdoe no longer being able 
to access alice A5 resource  (after revokation from alice).


Regards,
Olivier











More information about the keycloak-user mailing list