Revoking or invalidating an authorization token?

Hi,

My apologies for crossposting. I wasn’t sure if the right place to ask this was here or on the Google Group.

I’m trying to figure out if Keycloak supports any sort of token revokation as described in RFC 7009, like with a /revoke API endpoint. I can’t seem to find it in the documentation. I see that there is a /logout API that can take a token (?), but I’m assuming that this would cause the user to have to log in again…

Here’s my use case - perhaps someone can help me understand if Keycloak supports this well.

  • A user is logged into my app, potentially on multiple devices (web, mobile, etc.)
  • The user makes a change to his subscription (e.g., he upgrades to a premium membership, or downgrades) while on one device
  • When he goes to the other device, where he is still logged in, his new membership is not reflected as it is only fetched by the app when an authorization token is obtained (the membership status would be in the JWT token) and as a result, he has the wrong level of access
  • If the user makes such a change on device A, I would like to be able to revoke or invalidate any tokens being used by device B to force it to get a new authorization token
  • I do not want this to result in the user having to log in again on device B, I just want them to get the new authorization (“silent” reauthentication would be fine as long as the user is not prompted for credentials, so if it is possible to invalidate just the authorization but not the authentication, that would be fine)

Is there a straightforward way to accomplish this? Can it be done with /logout somehow? Is it a better practice simply to use very short-lived authentication tokens to avoid this problem?

Thanks!

Any news on this, @mlevin2?

“You can revoke the session (i.e., by invoking the end_session_endpoint), but not individual tokens. I doubt we’d add revocation for individual tokens as that would require much more state maintained on the server side.”

Ref:

Also see: