Is it possible to keep bearer token active if the user is active
You can keep the user info in Redis(For multiple servers to share this info), or you can put it in token directly,if the user info is very little.
Related
I am using Keycloak to secure my react front-end and node.js back-end. These clients are protected using role based authorization.
My front-end application registered in Keycloak as a public client and back-end registered as bearer only client. When a user logging in to the front-end, i am taking the access token for that particular user and i am using that access token to call back-end api layer.
When user logout from the front-end i am clearing the front-end client session of that particular user from Keycloak by using keycloak object logout method. That is working fine and user is logging out and redirected to the Keycloak login page.
But the issue is i can still use the access token of that logged out user to call back-end api. The access token is still valid even though the user logged out.
I tried this end point to revoke the user access token. But didn't work
/auth/admin/realms//users/
Is there a way to revoke the access token of a particular user in Keycloak ?
I think you can only revoke sessions but not issued access tokens. So the only solution for this is to choose a very short access token life span in combination with silent refresh, so the usability is still good and the maximum access time after session revocation is equal or less than token life span.
EDIT: There is an official guide about how to handle compromised tokens. They do not mention how to revoke an individual access token, so there is no documented way to do so. However, you can revoke all issued access keys by the described "not_before" way.
It's possible at least on KC 17.0 via /protocol/openid-connect/revoke but since it's auth endpoint, you have to provide both the token and client_id, because the server must validate if the token belongs to that specific client that's calling.
This means that along with client_id, you may also need to send a client_secret or whatever other accepted of authenticating the client app to the server -- much like it was done earlier while obtaining the token on /protocol/openid-connect/token.
Also worth noting that the token must be passed as POST form param or GET query param of that name: token, and not as a bearer header/etc.
BTW. Refresh tokens can be revoked with the same /openid-connect/revoke endpoint in the same way as access tokens, while the older, easier to find /openid-connect/logout still only handles id tokens and refresh tokens (POST a client_id, client_secret etc, and also either refresh_token or id_token_hint to be killed) and still rejects any attempts with access token. At least on KC 17.0
BTW. I have no idea if /revoke can handle id tokens. I doubt it, but RFCs seem to allow that as custom extenstion. I have not tried with KeyCloak 17.0
You could call the following endpoint to revoke an access token using a post
{serverName}/auth/realms/{realmName}/protocol/openid-connect/revoke
we are looking for some advice on how to use an access token within a long running background process that exceeds the token expiry. We are using Keycloak with OpenId Connect and we would like to stick to the standard. Maybe bend it a little bit, if necessary, but not overthrow it.
Use-Case:
User calls a service with his access token. The service starts a long running background process that calls other services. The access token is being sent to the other services in order to authorize the request and relate the action to the user (e.g. "changed by"). The background process may take days or even weeks.
Any ideas? Thanks in advance!
You need refresh token with offline_access scope. Such refresh token never expires and is used to get new access token when the old one expires.
To get refresh token with offline_access from KeyCloak user needs to have offline_access role and you should add "offline_access" to requested scopes.
More on this: https://stackoverflow.com/a/30638344/1540748
Another option is Client Credentials flow, but than you don't have user data in token.
I want to enforce a single user session feature for my Angular app because my customers share a single account with their coworkers.
The issue currently, with my implementation. is revoking a valid token stored a client's local storage, particularly a valid Refresh token.
The scenario is:
User 1 logs in with valid username and password, the bearer token will expire in an hour, the refresh token will expire in two weeks
User 2, uses the same username and password two hours later. User 2 is prompted that they are logged in on another device and asked the question of they would like to expire that session and start a new session.
User 2 says yes and the now User 1's session in invalid.
The problem is that User 1 still has a valid Refresh token.
I have no way revoke this refresh token. My Auth API will accept is valid and I will not know whether it is User 1 or User 2's refresh token.
Do I need to start storing refresh token values in my database to resolve this issue? I also thought I could use a different JwtAuthKeyBase64 for User1 and User2, as a way to invalidate User1's token but this doesn't seem like a good way to be using the ServiceStack JwtAuthProvider.
The JWT RefreshToken is used to contact the Auth Server to fetch a new JWT Bearer Token. It will only return a BearerToken if the User still has Access so you can lock the User Account by populating UserAuth.LockedDate which will prevent the user from retrieving a new JWT Bearer Token.
If you want more custom validation you can implement IUserSessionSource and throw an Exception in GetUserSession() to return an Error Response instead of the JWT Bearer Token.
O.K this is driving me crazy
I am using this node module
to perform oauth authorization. I can get the password grant working since it involves just sending the right headers to the token endpoint. Nice and simple.
Now I want to authorize using the authorization_code grant. However, I need an access token or session to determine what user I am. This issue talks about how to do that.
I am still a bit unsure about a few things after reading the issue:
Should I get the initial user token from password grant?
Should I have access tokens to signin users and access tokens to sign
clients?
One has only user info the other has user and client info.
OR, Should I implement a users session in my oauth server?
Thanks in advance
I have a question regarding security when working with refresh tokens. Lets say I have a web application which has access to a user's google calendar. Therefore I need to do the following steps:
Get a client ID and a client secret from Google.
The user of my web application gives permission to his calendar.
I get a refresh and an access token.
I send the access token to the Calendar API and get access to the user's calendar.
I can refresh the access token with the refresh token, which is saved in the database.
What would happen if someone gets access to my database or in general would have the refresh token of one of my users?
Can an attacker access the calendar with the refresh token or is the token linked to my client ID and client secret? Is it only possible to access the users calendar when my web application authenticates via the OAUTH2 API with my client ID and client secret?
Thank you
Yes, it is/should not be possible to use a refresh token with a different client than it was issued to.
Refresh tokens are typically opaque strings, but in the issuer they should be linked to the authenticated client. That is why you need to send your client is and secret along when you use the refresh token.
Assuming that the client is able to keep a client_id and client_secret from the attacker, the regular approach is to treat and store the refresh_token in the same way. So even though technically it is not possible to obtain a new access token without the client credentials, in practice the attacker would get a hold of the client credentials in the same way as he got hold of the refresh token.