[keycloak-user] RPT tokens can still be used after approval revokation
Sebastien Blanc
sblanc at redhat.com
Fri Jul 5 08:12:05 EDT 2019
Pedro can confirm but if I'm not wrong an RPT is like any other access
token and will be valid until it expired (5 minutes by default). Especially
with an RPT where the verification can be completely made offline. You can
push a "not before" from the console to invalidate immediatly the token.
On Fri, Jul 5, 2019 at 2:09 PM Rivat Olivier <orivat at janua.fr> wrote:
>
>
> Hi,
>
> I have the following use case
>
> 1) alice is creating some resouces (a5 for example)
> 2) jdoe is asking to access a5
> 3) alice approves request for Jdoe to access a5
> 4) Jdoe is getting an rpt token and now can access to a5 (so far so good)
> 5) Alice is revoking Jdoe access right for a5
>
> 6) RPT token of Jdoe is still valid (it has no yet expired)
> ---> Joe can access to alice a5 resource without any problem
>
> For me it sounds like a bug. I was expecting Jdoe no longer being able
> to access alice A5 resource (after revokation from alice).
> Do you conform my understanding, or is this the normal expected behavior ?
>
> Regards,
> Olivier
>
>
>
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list