Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-3933

Refresh token allowed for offline session even the related scope is removed [GHI#43734]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      oidc

      Describe the bug

      An offline session continues to be valid when the offline_access scope is removed from the client. The idea is that the refresh operation should return an error if the scope is not assigned to the client anymore. This can confuse administrators, that think removing the scope is enough and they do not remove the sessions associated. Better if we avod this and return an error, saying invalid scope or similar.

      Version

      26.4.2

      Regression

      [ ] The issue is a regression

      Expected behavior

      The refresh token fails because of the scope issue.

      Actual behavior

      The refresh token is valid and a new token is obtained.

      How to Reproduce?

      1. Initiate an offline session with a code to token login using a client.
      2. In the related client remove the offline_access scope.
      3. Refresh to token to obtain a new access token.

      Anything else?

      No response

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak Core Clients
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: