Revoking offline token as the client

DrDizzle · May 20, 2021, 3:19pm

Scenario

I know that active offline tokens can be revoked by either the user - trough the Account API, or the Admin - through the Admin REST API. What I would like to do, is to enable the client to revoke it's own active offline tokens. Assuming I have checked "Revoke Refresh Token", a particular offline token could be revoked when getting a new one. The problem is that I'm still getting an active new one. Also, a timeout-based approach won't really work in this scenario.

Question

Is there an existing way to achieve this, or will I have to create a custom endpoint?

DrDizzle · May 21, 2021, 8:33am

Nevermind.
Keycloak has a regular OAuth 2.0 Token Revocation Endpoint.
https://www.keycloak.org/docs/latest/securing_apps/#_token_revocation_endpoint

A good nights sleep does wonders sometimes…

Topic		Replies	Views
Revoke offline token on logout Securing applications	1	5804	January 29, 2021
Revoking or invalidating an authorization token? Securing applications	4	15030	June 14, 2022
Revoke refresh tokens after password reset Securing applications authentication	12	7308	October 25, 2021
Access token revocation Getting advice	2	396	April 8, 2020
Not able to revoke an access token	3	9642	February 28, 2022

Revoking offline token as the client

Scenario

Question

Related Topics