[keycloak-user] API to evict user cache
Shetty, Shweta
Shweta.Shetty at Teradata.com
Fri Jul 26 13:36:23 EDT 2019
I am talking about this bug which clears offline tokens on Logout and becomes unusable.
https://issues.jboss.org/browse/KEYCLOAK-8638?_sscc=t
Shweta
________________________________
From: Pedro Igor Silva <psilva at redhat.com>
Sent: Friday, July 26, 2019 8:02 AM
To: Shetty, Shweta <Shweta.Shetty at Teradata.com>
Cc: keycloak-user at lists.jboss.org <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] API to evict user cache
If the logout is started by a GET to logout endpoint you should still be able to refresh tokens. I think I'm not following your problem.
On Fri, Jul 26, 2019 at 10:59 AM Shetty, Shweta <Shweta.Shetty at teradata.com<mailto:Shweta.Shetty at teradata.com>> wrote:
I guess it was not clear why I need to evict a single user cache - I should have completed the previous email.
Since the logout keycloak admin API - sets the 'notBefore' and makes the offline token STALE which we don't want. So what we are resorting is:
1) removing each active session individually
2)Update on the user to evict the user the from cache. (We need to do this because if a user has logged out we want him to cleanly log back in- (for example if he gets added to a new group when he logs back in he will get the new LDAP group else the cache will prevent it from happening)
Shweta
________________________________
From: Shetty, Shweta <Shweta.Shetty at Teradata.com>
Sent: Friday, July 26, 2019 6:50 AM
To: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org> <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] API to evict user cache
Thanks for your response Pedro. Yes, the updating of the user is helping in evicting the user cache, just tested.
The reason we are resorting in this because: If we use the logout API of keycloak admin then Keycloak evicts the user from the cache in the same method that sets the `notBefore` field in the user. The setting of the 'notBefore' makes the offline tokens STALE which in my assumption should have been done - since the assumption is offline tokens should still be valid if a user has logged out? Am I wrong here? We use offline tokens for background jobs and these fail. What is the best approach for such jobs then?
Shweta
________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Friday, July 26, 2019 5:00 AM
To: Shetty, Shweta <Shweta.Shetty at Teradata.com>
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org> <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] API to evict user cache
[External Email]
________________________________
If you mean a single entry in the cache no. But you can clear all entries in user cache (see admin console).
AFAIK, if you want to force a reload to a specific entry you could update some user info so that the entry is invalidated and eventually cached again.
On Thu, Jul 25, 2019 at 4:15 PM Shetty, Shweta <Shweta.Shetty at teradata.com<mailto:Shweta.Shetty at teradata.com>> wrote:
Is there an admin api to evict just a single user-cache ?
Shweta
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list