Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revoking Token in Keycloak #15

Closed
AdigaAkhil opened this issue Jul 27, 2023 · 4 comments
Closed

Revoking Token in Keycloak #15

AdigaAkhil opened this issue Jul 27, 2023 · 4 comments

Comments

@AdigaAkhil
Copy link

AdigaAkhil commented Jul 27, 2023
edited

Hello @ivangfr ,

Firstly, great project! loved it. It covers everything from the backend and front end.
However, I had some queries regarding Keycloak in your project.

As far as I have done research the only API to revoke a token is the /revoke API which looks like this

http://localhost:8080/realms/<realm-name>/protocol/openid-connect/revoke
Along with this URL we will also be using clientId,client-secret, token_type and the actual token we want to revoke.

My query is, if we use the PKCE apporoach there is no client-secret ,so how do we revoke the token since the client secret is not optional

The same query applies for the introspect endpoint as well

http://localhost:8080/realms/<realm-name>/protocol/openid-connect/token/introspect
@ivangfr
Copy link
Owner

ivangfr commented Aug 6, 2023
edited

Hi @AdigaAkhil

I believe I got it partially. The introspect endpoint is returning 403 and the revoke is working.

I've used the app of this repo.

Get JWT token

$ curl -i -X POST \
  "http://localhost:8080/realms/company-services/protocol/openid-connect/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=admin" \
  -d "password=admin" \
  -d "grant_type=password" \
  -d "client_id=movies-app"

Response

HTTP/1.1 200 OK
...
{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ5eEFURmwwbzNzVjg1QzNWU21DYXo1NTNRYXhyUTZsT2k1QngtdEpmcEFZIn0.eyJleHAiOjE2OTEzNTgwMzAsImlhdCI6MTY5MTM1NzczMCwianRpIjoiYzVmNmIwMWItNWRhNC00ZDVhLWEyODAtZTBjNDczMTYyNDE4IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy9jb21wYW55LXNlcnZpY2VzIiwic3ViIjoiZWFkMDE1YTgtOThhNi00NDBiLWI1NDAtMjhiOWI0OTM0NWMzIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoibW92aWVzLWFwcCIsInNlc3Npb25fc3RhdGUiOiJhNWJhNTU5Ny01OGJiLTQ3YWUtYjVlZC0zZTUxYjA4OWVmMTkiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9sb2NhbGhvc3Q6MzAwMCJdLCJyZXNvdXJjZV9hY2Nlc3MiOnsibW92aWVzLWFwcCI6eyJyb2xlcyI6WyJNT1ZJRVNfTUFOQUdFUiIsIk1PVklFU19VU0VSIl19fSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwic2lkIjoiYTViYTU1OTctNThiYi00N2FlLWI1ZWQtM2U1MWIwODllZjE5IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZG1pbiJ9.gdEmu4zoimr2beNjniTSk4ZC4adhwhyxqUwTMUHFQ9CHnoiaB6a83TS5MDLoIr-_k4LJRMag11peGPMEy2cUT6ZAk_u9rXXep-no4skEd-GdHCeXb-ZSJiPykc8QY3ZS6gu3TiqKjMjoDldKAzH92RMmn9Aqd66r5yYJouG4KgmGqGFx72p3TpskQJ-A90Iikuw6fQ125g_XDDNFov-Zhms-1BBnKJX7J9vkmNnlEK9QQOR8YIGsoMbOiMWI57Vdmsqm0Maq1UJ92MJk6ZHcIrUIEiu-SLr2QO9DycjarocSNrHfP5kAFSpuJwvVHEC_sNPbO-bfAaIqOveE09Ht0Q",
    "expires_in": 300,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIzMzg4MzNjNS0wMzIwLTQzNWEtOGM4Yi1jYmZlZjEyODIxOWEifQ.eyJleHAiOjE2OTEzNTk1MzAsImlhdCI6MTY5MTM1NzczMCwianRpIjoiZjZjZmI1ODctY2RkMy00M2E3LWI3NzMtMjIzZTM5NzllMWQwIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy9jb21wYW55LXNlcnZpY2VzIiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy9jb21wYW55LXNlcnZpY2VzIiwic3ViIjoiZWFkMDE1YTgtOThhNi00NDBiLWI1NDAtMjhiOWI0OTM0NWMzIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6Im1vdmllcy1hcHAiLCJzZXNzaW9uX3N0YXRlIjoiYTViYTU1OTctNThiYi00N2FlLWI1ZWQtM2U1MWIwODllZjE5Iiwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwic2lkIjoiYTViYTU1OTctNThiYi00N2FlLWI1ZWQtM2U1MWIwODllZjE5In0.GQ-mWo1mfQfuOEI20RHKzQut_DkM8rUu1Lfp9JmvkzM",
    "token_type": "Bearer",
    "not-before-policy": 0,
    "session_state": "a5ba5597-58bb-47ae-b5ed-3e51b089ef19",
    "scope": "email profile"
}

Set refresh_token to TOKEN env var

$ TOKEN=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIzMzg4MzNjNS0wMzIwLTQzNWEtOGM4Yi1jYmZlZjEyODIxOWEifQ.eyJleHAiOjE2OTEzNTk1MzAsImlhdCI6MTY5MTM1NzczMCwianRpIjoiZjZjZmI1ODctY2RkMy00M2E3LWI3NzMtMjIzZTM5NzllMWQwIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy9jb21wYW55LXNlcnZpY2VzIiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy9jb21wYW55LXNlcnZpY2VzIiwic3ViIjoiZWFkMDE1YTgtOThhNi00NDBiLWI1NDAtMjhiOWI0OTM0NWMzIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6Im1vdmllcy1hcHAiLCJzZXNzaW9uX3N0YXRlIjoiYTViYTU1OTctNThiYi00N2FlLWI1ZWQtM2U1MWIwODllZjE5Iiwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwic2lkIjoiYTViYTU1OTctNThiYi00N2FlLWI1ZWQtM2U1MWIwODllZjE5In0.GQ-mWo1mfQfuOEI20RHKzQut_DkM8rUu1Lfp9JmvkzM

Call introspect endpoint using TOKEN

$ curl -i -X POST http://localhost:8080/realms/company-services/protocol/openid-connect/token/introspect \
  -d token=$TOKEN \
  -d client_id=movies-app

Response

HTTP/1.1 403 Forbidden
...
{"error":"invalid_request","error_description":"Client not allowed."}

Probably, there is some config we need to set for the client.

Call revoke endpoint using TOKEN

$ curl -i -X POST http://localhost:8080/realms/company-services/protocol/openid-connect/revoke \
  -d token=$TOKEN \
  -d client_id=movies-app

Response

HTTP/1.1 200 OK
...

@ivangfr
Copy link
Owner

ivangfr commented Aug 14, 2023

Hi @AdigaAkhil any feedback from your side on this issue? Thanks!

@ivangfr
Copy link
Owner

ivangfr commented Aug 20, 2023

Closing issue as no feedback was provided.

@ivangfr ivangfr closed this as completed Aug 20, 2023
@AdigaAkhil
Copy link
Author

Sorry @ivangfr, I was out on vacation. Thank you for the response. I'll look into it and let you know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ivangfr @AdigaAkhil