Token Lifecycle Management
Obtaining Tokens
- User initiates token creation through CKAN interface
- CKAN validates user permissions
- Token request sent to Keycloak with specified parameters
- Keycloak generates JWT with appropriate claims
- Token metadata stored in CKAN database
- Token presented to user (displayed only once for security)
Revoking Tokens
- The user revokes an existing access token through the CKAN platform.
- CKAN adds the revoked token to a list of invalid tokens stored in the PostgreSQL database.
- CKAN sends a request to the Envoy Filter to refresh the cache of revoked tokens.
Expiration Policies
- Default token lifespan: 6 months (configurable)