Ability to remove offline_access tokens from the Account Management client and/or Admin interface

[ddurham2]

Description

I have found that offline_access refresh tokens (or their sessions rather) are not removed even if you sign out all sessions from the admin UI or from the user's Account management interface.

This seems like a gap in functionality: If a user signs in to a device/app to their account so that that device/app can have access to their account, it should be possible for that user to revoke that device's access from their management interface like they can with online sessions.

Perhaps I missed it? Is there some permission I need to grant to the Account client? I'd suppose I could, except not even admins can revoke offline sessions from the admin interface.

Worse, I'm finding that non-expiring offline sessions just build up in the offline_user_session and offline_client_session tables. (Devices/apps can be discarded, leaving no way for the user even to sign out from there.)

Discussion

No response

Motivation

Proper user and/or admin control over offline sessions Cleanable cruft in the db.

Plenty of online services allow you to sign out devices under account management and don't require going to the physical device (which may not be in their possession any longer).

Details

No response

[sschu]

To delete offline sessions, you have to revoke the consent for the client.

[ddurham2]

Is there a way for the user to do that from their Account console, or for the admin to do it?

[sschu]

That should be in the account console.

[ddurham2]

Not that I can see. An offline session issued through my client results in an already expired sign-in, but signing out doesn't erase the offline session from the db and doesn't eliminate the consent.

There is an Applications section, and it shows the client, but nothing is actionable to unlink it. Nothing additional shows up even when setting the theme to 'base'.

The user has all of 'account' client's roles (including manage-content)

I would expect to see it under Device Activity since that's where we can see potentially my account signed-in under that client on multiple devices.

Any ideas?

[jbman]

If any scope has been requested which requires consent, the Application section lists the client and a "Remove Access" button. This executes following request: DELETE https://keycloak.example.com/auth/realms/example/account/applications/postman/consent

I also think it isn't optimal that this can be achieved by consent revocation, only. A user who loose a device would expect that sign out from a device also kills access capability of the mobile apps installed. This however shouldn't be a complete consent revocation for any app but just a removal of the offline sessions at Keycloak. The apps still have consent, but their refresh tokens will not be accepted any more. They should be able to get a new one by a regular login whithout the consent screen presented.

[ddurham2]

@jbman , thanks for the info. I agree with your assessment of the functionality as well.

Nevertheless, your screen shot for sure shows what I'm looking for. As I mentioned, I've given the user manage-content from the account client (along with all the other perms), and the user doesn't have the remove access button. Any ideas why not? (Keycloak v18)

[sschu]

Does your client require consent in the first place?

[ddurham2]

Ah! You nailed it. No, it's for a mobile app, so it doesn't require consent. But when I enabled consent-required, logged back in, it requested content, and then the revoke consent part of the UI started showing up.

Unfortunately, that means there's a gap in the offline access functionality (IMO at least). For a client that doesn't require consent, there's no way for the user to remove the offline session, which is especially a problem for a mobile app where the user may have lost the device. <-- Feature request

For now, I'm planning to just go with a long max session time. TMK, signing out of that session from the Device Activity page should provide the needed control. But unfortunately the user will eventually need to login again on the mobile app for no apparent reason to them.

[kherock]

Any updates on this issue? Still observing this today on Keycloak 22. Trying to build a feature that allows users to sign out of devices.

I have 2 main complaints with the existing implementation:

1. revoking one offline token also revokes the consent, thereby also revoking all other offline tokens for that user. Intuitively, I would expect that revoking one token would be strictly limited to the offline session associated with the token.
2. it is not possible to delete Offline tokens from the admin API. Request respond with 404 Not Found and the offline tokens remain valid.