Dear Team,
I would like to inquire about the potential solution for revoking access tokens in Tyk Gateway in the event of a forced user logout. The tokens are generated by Keycloak, and the API in Tyk Gateway verifies JWT tokens via the JWKs endpoint.
Thanks,
Vinh
Hi Vinh
When an access token is revoked the JWT ttl should be reset in IDP(Keycloak )and then when Tyk validates during an API access the JWT validation will fail, thereby revoking API access.
Warm regards
Sandeep
Hi Sandeep,
I still have concerns., how does the gateway know that the JWT has been revoked in the Identity Provider (IdP). the gateway self validates token using the public key but does not invoke the introspect endpoint?
Regards,
Vinh
My use case is following workflow here: https://tyk.io/docs/basic-config-and-security/security/authentication-authorization/json-web-tokens#jwt-workflow
Hi Vinh
Reducing TTL was an alternate workaround not a replacement of introspection. If you need to revoke access for a token that was revoked by a user logout that has to be known by Tyk. In Tyk you will need a custom plugin for introspection of token.
Warm regards
Sandeep
Hi Sandeep,
Thank you for your advice.
