[keycloak-user] RPT tokens can still be used after approval revokation
Rivat Olivier
orivat at janua.fr
Fri Jul 5 07:55:28 EDT 2019
Hi,
I have the following use case
1) alice is creating some resouces (a5 for example)
2) jdoe is asking to access a5
3) alice approves request for Jdoe to access a5
4) Jdoe is getting an rpt token and now can access to a5 (so far so good)
5) Alice is revoking Jdoe access right for a5
6) RPT token of Jdoe is still valid (it has no yet expired)
---> Joe can access to alice a5 resource without any problem
For me it sounds like a bug. I was expecting Jdoe no longer being able
to access alice A5 resource (after revokation from alice).
Do you conform my understanding, or is this the normal expected behavior ?
Regards,
Olivier
More information about the keycloak-user
mailing list