New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revocation of refresh token also revokes client consent #12916
Comments
This issues also exists with offline tokens. |
The actual issue seems to be here: keycloak/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenRevocationEndpoint.java Line 239 in 63614b1
|
@derkoe The typical use-case for the token revocation is when the particular token is compromised. Hence the reason why there is also revocation of user consent, which is for the security reason. As you cited, specification mentions What is exactly your actual use-case for calling token revocation? I wonder if it is an alternative for you to rather call "logout" instead of "token revocation" ? You can call either OIDC logout from the browser or with the logout token (OIDC backchannel logout) or you can call the logout endpoint with the refresh token as a parameter: https://github.com/keycloak/keycloak/blob/18.0.0/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java#L351 |
All other identity providers we tried did not have this "feature" - maybe this should be put behind a configuration.
We like to logout from a native mobile application and we were not sure if the refresh token was also invalidated with that logout. |
Sure, it is. Logout will automatically invalidate refresh token and all the underlying access tokens as well as session. It won't be possible at all to refresh the token after the logout. |
@derkoe Were you able to use the approach with the logout? Is it possible to close this issue? |
@mposolda yes we used the logout approach. I think it would be good to put this in the docs: keycloak/keycloak-documentation#1664 |
@derkoe I've merged your documentation PR. Thanks for it! |
Describe the bug
When an OpenID Connect client revokes a refresh token with
/auth/realms/{realm}/protocol/openid-connect/revoke
the user consent is also being revoked. The Keycloak documentation and the OAuth 2.0 docs do not mention such a behaviour.Version
16.0.1
Expected behavior
The expected behaviour when revoking a refresh token is that this token (and all related access tokens) will be revoked.
https://datatracker.ietf.org/doc/html/rfc7009#section-2.1
Actual behavior
Keycloak does not only revoke the tokens it also revokes the client consent here:
keycloak/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenRevocationEndpoint.java
Line 117 in 63614b1
How to Reproduce?
/auth/realms/{realm}/protocol/openid-connect/revoke
endpoint with the refresh tokenAnything else?
No response
The text was updated successfully, but these errors were encountered: