Revoke Keycloak access token

Asked 10/6, 2020 at 8:51 Answered 13/5, 2022 at 17:55

node.js reactjs keycloak keycloak-rest-api keycloak-nodejs-connect

I am using Keycloak to secure my react front-end and node.js back-end. These clients are protected using role based authorization.

My front-end application registered in Keycloak as a public client and back-end registered as bearer only client. When a user logging in to the front-end, i am taking the access token for that particular user and i am using that access token to call back-end api layer.

When user logout from the front-end i am clearing the front-end client session of that particular user from Keycloak by using keycloak object logout method. That is working fine and user is logging out and redirected to the Keycloak login page.

But the issue is i can still use the access token of that logged out user to call back-end api. The access token is still valid even though the user logged out.

I tried this end point to revoke the user access token. But didn't work /auth/admin/realms//users/

Is there a way to revoke the access token of a particular user in Keycloak ?

Callicrates answered 10/6, 2020 at 8:51 Comment(0)

I think you can only revoke sessions but not issued access tokens. So the only solution for this is to choose a very short access token life span in combination with silent refresh, so the usability is still good and the maximum access time after session revocation is equal or less than token life span.

EDIT: There is an official guide about how to handle compromised tokens. They do not mention how to revoke an individual access token, so there is no documented way to do so. However, you can revoke all issued access keys by the described "not_before" way.

Halve answered 11/6, 2020 at 20:17 Comment(0)

It's possible at least on KC 17.0 via /protocol/openid-connect/revoke but since it's auth endpoint, you have to provide both the token and client_id, because the server must validate if the token belongs to that specific client that's calling.

This means that along with client_id, you may also need to send a client_secret or whatever other accepted of authenticating the client app to the server -- much like it was done earlier while obtaining the token on /protocol/openid-connect/token.

Also worth noting that the token must be passed as POST form param or GET query param of that name: token, and not as a bearer header/etc.

BTW. Refresh tokens can be revoked with the same /openid-connect/revoke endpoint in the same way as access tokens, while the older, easier to find /openid-connect/logout still only handles id tokens and refresh tokens (POST a client_id, client_secret etc, and also either refresh_token or id_token_hint to be killed) and still rejects any attempts with access token. At least on KC 17.0

BTW. I have no idea if /revoke can handle id tokens. I doubt it, but RFCs seem to allow that as custom extenstion. I have not tried with KeyCloak 17.0

Misquote answered 13/5, 2022 at 17:55 Comment(1)

Also see the following documentation: keycloak.org/docs/latest/securing_apps/… – Hardison 28/3, 2023 at 7:42

You could call the following endpoint to revoke an access token using a post

{serverName}/auth/realms/{realmName}/protocol/openid-connect/revoke

Principal answered 24/6, 2021 at 10:45 Comment(2)

After to call revoke, the token can be use yet to call endpoints allowed only with token. I have this problem. – Dragonfly 21/6, 2022 at 19:39

If the endpoint does an online validation with Keycloak, this should not happen. The endpoint is probably doing an offline validation, which is the correct things to do since you don't want to be hitting Keycloak every time your endpoint is called. That's why access tokens need to be short lived. – Darien 12/1, 2023 at 12:22

Recommended topics

Hot tags