Invalidate ExecuteActionsActionToken when new one is issued

Hi there,

when using execute actions endpoint (via REST or admin ui) to send a URL to a user to e.g. update their password, those tokens may be “single use” (depending on the triggered required action).
After the user has executed the action, the URL (better: the token in the URL) is saved in infinispan cache (SingleUseObjectProvider).

First problem: when Keycloak is restarted after the user has executed the action, the token is valid again because cache is lost (at least when whole cluster is restarted at once or when using only one single instance)

Second problem: we have the requirement to invalidate old tokens when a new token is issued.
E.g. when an admin triggers “Update Password” twice the first token should be revoked.
Since tokens are stored in cache AFTER they have been used (see above), we cannot use SingleUseObjectProvider.
Our idea was to save all tokens in a DB table and implement our own ExecuteActionsActionTokenHandler with a custom verifier in getVerifiers checking if the token is listed in the table.
But we are not sure where we can store new tokens. There is only one new ExecuteActionsActionToken (...) in UserResource, but how to overwrite this single method to instantiate the token and write it to DB?

Thanks for your ideas!

For the first problem you can actually configure infinispan as an external system. In this way you can separate the deployments of Keycloak from the deployments of Infinispan, but you will get a whole set of different problems :slight_smile:

Or maybe you can configure that specific infinispan cache to be persistent