Reputation: 4268
How limit access tokens count for each user in keycloak
I am using Keyclaok as an authorization server and implemented resource servers with spring boot. Now I want to limit the active JWT token count for each user. so after I googled this issue, I find that I should use this mechanism, when the user logs into the system if the user has an older token, that token would be stored in the blacklist, and then in each request that the user made to the resource server, validate token with calling introspection endpoint of Keyclaok and then check that given token is in the blacklist or not.
But I find that spring security does not call the introspection endpoint to validate the JWT token and uses local validation instead.
What is the best approach to implement this requirement?
Upvotes: 0
Views: 1117
Answers (1)
Reputation: 12659
There can be good reasons for a user to have simultaneous tokens: in SingleSignOn scenarios, you can authenticate on the same authorization-server with various clients. You'll get a token per client.
I would just reduce tokens life-span. Wouldn't access-tokens expiring after 30s solve your concern?
JWT access-token should be quite short lived and serious client libs handle silent access-tokens renewal.
On keycloak, this is tuned in "advanced settings" for each client.
Upvotes: 1
Related Questions
- Validate token on keycloak server for every api call
- Make Keycloak authentication work with own JWT tokens generation
- How to reduce the size of the access/refresh tokens in Keycloak?
- Extend Keycloak token in Spring boot
- How to fix 403 when using keycloak JWT token with spring security
- Managing user permissions in keycloak and spring rest api
- Spring Keycloak - How to set principal from JWT access token
- Spring OAuth2 Generate Access Token per request to the Token Endpoint
- How to limit client access defined in OAuth2 settings?
- Spring Oauth2 - multiple tokens per client id