How to block access of specific client and revoke his issued tokens in admin console

Question

I implemented Authorization Server with spring boot and keycloak using the following dependencies:

<dependency>
    <groupId>org.jboss.resteasy</groupId>
    <artifactId>resteasy-jackson2-provider</artifactId>
    <version>${resteasy.version}</version>
</dependency>

<dependency>
    <groupId>org.keycloak</groupId>
    <artifactId>keycloak-dependencies-server-all</artifactId>
    <version>${keycloak.version}</version>
    <type>pom</type>
</dependency>

I defined a client to have client_credentials authorization flow in keycloak admin console. everything is ok and client can get his access_token and refresh_token.

Now, i want to be able to revoke this client issued tokens and also prevent his to get new token. how and where can i do that in keycloak admin console?

Answer 1

Access Tokens cannot be revoked (at least in Keycloak). They are designed to be short-lived and its very good practice to set their expiry time between 1 and 3 minutes.

The only thing you can do is:

• Evict all sessions of a particular user
• Disable/deny access to this particular user (so that he will not get new tokens)
• Change keys or regenerate secret credentials of a particular Client (so that it will not be possible to authenticate against nor will it issue new tokens)
• Use not-before push policy for all tokens or disable/delete the Client or application

More actions and details are available here: https://www.keycloak.org/docs/latest/server_admin/index.html#compromised-access-and-refresh-tokens

"Token lifetime" and "Revoking access" topics are partly covered here:

• https://www.oauth.com/oauth2-servers/access-tokens/access-token-lifetime/
• https://www.oauth.com/oauth2-servers/listing-authorizations/revoking-access/