[keycloak-user] API to evict user cache
Pedro Igor Silva
psilva at redhat.com
Fri Jul 26 13:43:30 EDT 2019
Now I see. Thanks for the link. Indeed, the notBefore on the realm is
impacting the persistent sessions. Will comment on that JIRA.
On Fri, Jul 26, 2019 at 2:36 PM Shetty, Shweta <Shweta.Shetty at teradata.com>
wrote:
> I am talking about this bug which clears offline tokens on Logout and
> becomes unusable.
> https://issues.jboss.org/browse/KEYCLOAK-8638?_sscc=t
>
> Shweta
>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Friday, July 26, 2019 8:02 AM
> *To:* Shetty, Shweta <Shweta.Shetty at Teradata.com>
> *Cc:* keycloak-user at lists.jboss.org <keycloak-user at lists.jboss.org>
> *Subject:* Re: [keycloak-user] API to evict user cache
>
> If the logout is started by a GET to logout endpoint you should still be
> able to refresh tokens. I think I'm not following your problem.
>
> On Fri, Jul 26, 2019 at 10:59 AM Shetty, Shweta <
> Shweta.Shetty at teradata.com> wrote:
>
> I guess it was not clear why I need to evict a single user cache - I
> should have completed the previous email.
>
> Since the logout keycloak admin API - sets the 'notBefore' and makes the
> offline token STALE which we don't want. So what we are resorting is:
> 1) removing each active session individually
> 2)Update on the user to evict the user the from cache. (We need to do this
> because if a user has logged out we want him to cleanly log back in- (for
> example if he gets added to a new group when he logs back in he will get
> the new LDAP group else the cache will prevent it from happening)
>
> Shweta
>
> ------------------------------
> *From:* Shetty, Shweta <Shweta.Shetty at Teradata.com>
> *Sent:* Friday, July 26, 2019 6:50 AM
> *To:* Pedro Igor Silva <psilva at redhat.com>
> *Cc:* keycloak-user at lists.jboss.org <keycloak-user at lists.jboss.org>
> *Subject:* Re: [keycloak-user] API to evict user cache
>
> Thanks for your response Pedro. Yes, the updating of the user is helping
> in evicting the user cache, just tested.
>
> The reason we are resorting in this because: If we use the logout API of
> keycloak admin then Keycloak evicts the user from the cache in the same
> method that sets the `notBefore` field in the user. The setting of the
> 'notBefore' makes the offline tokens STALE which in my assumption should
> have been done - since the assumption is offline tokens should still be
> valid if a user has logged out? Am I wrong here? We use offline tokens for
> background jobs and these fail. What is the best approach for such jobs
> then?
>
> Shweta
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Friday, July 26, 2019 5:00 AM
> *To:* Shetty, Shweta <Shweta.Shetty at Teradata.com>
> *Cc:* keycloak-user at lists.jboss.org <keycloak-user at lists.jboss.org>
> *Subject:* Re: [keycloak-user] API to evict user cache
>
> [External Email]
> ------------------------------
> If you mean a single entry in the cache no. But you can clear all entries
> in user cache (see admin console).
>
> AFAIK, if you want to force a reload to a specific entry you could update
> some user info so that the entry is invalidated and eventually cached again.
>
> On Thu, Jul 25, 2019 at 4:15 PM Shetty, Shweta <Shweta.Shetty at teradata.com>
> wrote:
>
> Is there an admin api to evict just a single user-cache ?
>
> Shweta
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
More information about the keycloak-user
mailing list