Question
Understanding JWT Validation in Spring Boot with Keycloak
I recently encountered an issue while implementing an application using Spring Boot and Keycloak, and I'd like to share and discuss it here for clarity.
Scenario: I have a user with an admin role in Keycloak. Initially, I logged in this user using the endpoint localhost:9091/realms/test-realm/protocol/openid-connect/token. Subsequently, I attempted to access an endpoint in my controller using the JWT token obtained from the login endpoint. This endpoint requires the user to have the admin role for authorization, and everything worked as expected.
Unexpected Behavior: Here's where things got confusing. After successfully accessing the endpoint, I went to the Keycloak console and revoked the admin role for that user. However, when I sent the old JWT token (which still had the admin role embedded in it) to the same endpoint again, to my surprise, the user still had access.
Concerns: This behavior raised concerns about the security implications. Ideally, changes in user roles (like revoking a role) should immediately invalidate existing JWT tokens to prevent unauthorized access.