From 716972347d012fe31ab307bd8ff295748e762886 Mon Sep 17 00:00:00 2001
From: Bill Burke <bburke@redhat.com>
Date: Mon, 3 Mar 2014 15:50:10 -0500
Subject: [PATCH] revocation

---
 .../META-INF/resources/admin/js/app.js        | 24 ++++++++++
 .../admin/js/controllers/applications.js      | 45 +++++++++++++++++++
 .../admin/js/controllers/oauth-clients.js     | 40 +++++++++++++++++
 .../resources/admin/js/controllers/realm.js   | 26 +++++------
 .../META-INF/resources/admin/js/services.js   |  8 ++++
 .../admin/partials/application-claims.html    |  1 +
 .../partials/application-credentials.html     |  1 +
 .../admin/partials/application-detail.html    |  1 +
 .../partials/application-installation.html    |  1 +
 .../partials/application-revocation.html      | 37 +++++++++++++++
 .../partials/application-role-detail.html     |  1 +
 .../admin/partials/application-role-list.html |  1 +
 .../partials/application-scope-mappings.html  |  1 +
 .../admin/partials/oauth-client-claims.html   |  1 +
 .../partials/oauth-client-credentials.html    |  1 +
 .../admin/partials/oauth-client-detail.html   |  1 +
 .../partials/oauth-client-installation.html   |  1 +
 .../partials/oauth-client-revocation.html     | 36 +++++++++++++++
 .../partials/oauth-client-scope-mappings.html |  1 +
 .../idm/ApplicationRepresentation.java        | 22 ++++++---
 .../idm/OAuthClientRepresentation.java        | 16 +++++--
 .../java/org/keycloak/models/ClientModel.java | 10 +++++
 .../org/keycloak/models/OAuthClientModel.java |  1 +
 .../keycloak/models/jpa/ClientAdapter.java    | 10 +++++
 .../models/jpa/OAuthClientAdapter.java        |  5 ++-
 .../models/jpa/entities/ClientEntity.java     |  9 ++++
 .../keycloak/adapters/ApplicationAdapter.java |  9 ++++
 .../keycloak/adapters/OAuthClientAdapter.java | 15 +++++++
 .../keycloak/entities/ApplicationEntity.java  | 10 +++++
 .../keycloak/entities/OAuthClientEntity.java  |  9 +++-
 .../services/managers/ApplicationManager.java | 22 ++++++---
 .../services/managers/OAuthClientManager.java | 15 ++++++-
 .../services/managers/RealmManager.java       | 13 +++---
 .../managers/ResourceAdminManager.java        | 21 +++++++--
 .../services/managers/TokenManager.java       | 16 ++++---
 .../resources/admin/ApplicationResource.java  |  9 ++++
 .../resources/admin/RealmAdminResource.java   |  5 +--
 37 files changed, 389 insertions(+), 56 deletions(-)
 create mode 100755 admin-ui/src/main/resources/META-INF/resources/admin/partials/application-revocation.html
 create mode 100755 admin-ui/src/main/resources/META-INF/resources/admin/partials/oauth-client-revocation.html

diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/js/app.js b/admin-ui/src/main/resources/META-INF/resources/admin/js/app.js
index 17cbe664ef..e6fc2d7388 100755
--- a/admin-ui/src/main/resources/META-INF/resources/admin/js/app.js
+++ b/admin-ui/src/main/resources/META-INF/resources/admin/js/app.js
@@ -319,6 +319,18 @@ module.config([ '$routeProvider', function($routeProvider) {
             },
             controller : 'ApplicationRoleListCtrl'
         })
+        .when('/realms/:realm/applications/:application/revocation', {
+            templateUrl : 'partials/application-revocation.html',
+            resolve : {
+                realm : function(RealmLoader) {
+                    return RealmLoader();
+                },
+                application : function(ApplicationLoader) {
+                    return ApplicationLoader();
+                }
+            },
+            controller : 'ApplicationRevocationCtrl'
+        })
         .when('/realms/:realm/applications/:application/scope-mappings', {
             templateUrl : 'partials/application-scope-mappings.html',
             resolve : {
@@ -409,6 +421,18 @@ module.config([ '$routeProvider', function($routeProvider) {
             },
             controller : 'OAuthClientClaimsCtrl'
         })
+        .when('/realms/:realm/oauth-clients/:oauth/revocation', {
+            templateUrl : 'partials/oauth-client-revocation.html',
+            resolve : {
+                realm : function(RealmLoader) {
+                    return RealmLoader();
+                },
+                oauth : function(OAuthClientLoader) {
+                    return OAuthClientLoader();
+                }
+            },
+            controller : 'OAuthClientRevocationCtrl'
+        })
         .when('/realms/:realm/oauth-clients/:oauth/credentials', {
             templateUrl : 'partials/oauth-client-credentials.html',
             resolve : {
diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/js/controllers/applications.js b/admin-ui/src/main/resources/META-INF/resources/admin/js/controllers/applications.js
index 5bfb651767..29d1113edb 100755
--- a/admin-ui/src/main/resources/META-INF/resources/admin/js/controllers/applications.js
+++ b/admin-ui/src/main/resources/META-INF/resources/admin/js/controllers/applications.js
@@ -384,3 +384,48 @@ module.controller('ApplicationScopeMappingCtrl', function($scope, $http, realm,
 
 
 });
+
+module.controller('ApplicationRevocationCtrl', function($scope, realm, application, Application, ApplicationPushRevocation, $location, Dialog, Notifications) {
+    $scope.application = application;
+
+    var setNotBefore = function() {
+        if ($scope.application.notBefore == 0) {
+            $scope.notBefore = "None";
+        } else {
+            $scope.notBefore = new Date($scope.application.notBefore * 1000);
+        }
+    };
+
+    setNotBefore();
+
+    var refresh = function() {
+        Application.get({ realm : realm.realm, application: $scope.application.name }, function(updated) {
+            $scope.application = updated;
+            setNotBefore();
+        })
+
+    };
+
+    $scope.clear = function() {
+        $scope.application.notBefore = 0;
+        Application.update({ realm : realm.realm, application: application.name}, $scope.application, function () {
+            $scope.notBefore = "None";
+            Notifications.success('Not Before cleared for application.');
+            refresh();
+        });
+    }
+    $scope.setNotBeforeNow = function() {
+        $scope.application.notBefore = new Date().getTime()/1000;
+        Realm.update({ realm : realm.realm, application: $scope.application.name}, $scope.application, function () {
+            Notifications.success('Not Before cleared for application.');
+            refresh();
+        });
+    }
+    $scope.pushRevocation = function() {
+        ApplicationPushRevocation.save({realm : realm.realm, application: $scope.application.name}, function () {
+            Notifications.success('Push sent for application.');
+        });
+    }
+
+});
+
diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/js/controllers/oauth-clients.js b/admin-ui/src/main/resources/META-INF/resources/admin/js/controllers/oauth-clients.js
index 542d5e18c2..ae9477772f 100755
--- a/admin-ui/src/main/resources/META-INF/resources/admin/js/controllers/oauth-clients.js
+++ b/admin-ui/src/main/resources/META-INF/resources/admin/js/controllers/oauth-clients.js
@@ -287,3 +287,43 @@ module.controller('OAuthClientInstallationCtrl', function($scope, realm, install
     $scope.installation = installation;
     $scope.download = OAuthClientInstallation.url({ realm: $routeParams.realm, oauth: $routeParams.oauth });
 });
+
+module.controller('OAuthClientRevocationCtrl', function($scope, realm, oauth, OAuthClient, $location, Dialog, Notifications) {
+    $scope.oauth = oauth;
+
+    var setNotBefore = function() {
+        if ($scope.oauth.notBefore == 0) {
+            $scope.notBefore = "None";
+        } else {
+            $scope.notBefore = new Date($scope.oauth.notBefore * 1000);
+        }
+    };
+
+    setNotBefore();
+
+    var refresh = function() {
+        OAuthClient.get({ realm : realm.realm, id: $scope.oauth.id }, function(updated) {
+            $scope.oauth = updated;
+            setNotBefore();
+        })
+
+    };
+
+    $scope.clear = function() {
+        $scope.oauth.notBefore = 0;
+        OAuthClient.update({ realm : realm.realm, id: $scope.oauth.id}, $scope.oauth, function () {
+            $scope.notBefore = "None";
+            Notifications.success('Not Before cleared for application.');
+            refresh();
+        });
+    }
+    $scope.setNotBeforeNow = function() {
+        $scope.oauth.notBefore = new Date().getTime()/1000;
+        OAuthClient.update({ realm : realm.realm, id: $scope.oauth.id}, $scope.oauth, function () {
+            Notifications.success('Not Before cleared for application.');
+            refresh();
+        });
+    }
+});
+
+
diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/js/controllers/realm.js b/admin-ui/src/main/resources/META-INF/resources/admin/js/controllers/realm.js
index c83ddbc245..cb0fa24800 100755
--- a/admin-ui/src/main/resources/META-INF/resources/admin/js/controllers/realm.js
+++ b/admin-ui/src/main/resources/META-INF/resources/admin/js/controllers/realm.js
@@ -691,7 +691,7 @@ module.controller('RealmKeysDetailCtrl', function($scope, Realm, realm, $http, $
 });
 
 module.controller('RealmRevocationCtrl', function($scope, Realm, RealmPushRevocation, realm, $http, $location, Dialog, Notifications) {
-    $scope.realm = realm;
+    $scope.realm = angular.copy(realm);
 
     var setNotBefore = function() {
         if ($scope.realm.notBefore == 0) {
@@ -701,29 +701,27 @@ module.controller('RealmRevocationCtrl', function($scope, Realm, RealmPushRevoca
         }
     };
 
-    if (realm.notBefore == 0) {
-        $scope.notBefore = "None";
-    } else {
-        $scope.notBefore = new Date(realm.notBefore);
-    }
+    setNotBefore();
+
+    var reset = function() {
+        Realm.get({ id : realm.realm }, function(updated) {
+            $scope.realm = updated;
+            setNotBefore();
+        })
+
+    };
 
     $scope.clear = function() {
         Realm.update({ realm: realm.realm, notBefore : 0 }, function () {
             $scope.notBefore = "None";
             Notifications.success('Not Before cleared for realm.');
-            Realm.get({ id : realm.realm }, function(updated) {
-                $scope.realm = updated;
-                setNotBefore();
-            })
+            reset();
         });
     }
     $scope.setNotBeforeNow = function() {
         Realm.update({ realm: realm.realm, notBefore : new Date().getTime()/1000}, function () {
             Notifications.success('Not Before cleared for realm.');
-            Realm.get({ id : realm.realm }, function(updated) {
-                $scope.realm = updated;
-                setNotBefore();
-            })
+            reset();
         });
     }
     $scope.pushRevocation = function() {
diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/js/services.js b/admin-ui/src/main/resources/META-INF/resources/admin/js/services.js
index 0aac008a66..a7342347ea 100755
--- a/admin-ui/src/main/resources/META-INF/resources/admin/js/services.js
+++ b/admin-ui/src/main/resources/META-INF/resources/admin/js/services.js
@@ -467,6 +467,14 @@ module.factory('ApplicationClaims', function($resource) {
     });
 });
 
+module.factory('ApplicationPushRevocation', function($resource) {
+    return $resource('//auth/rest/admin/realms/:realm/applications/:application/push-revocation', {
+        realm : '@realm',
+        application : "@application"
+    });
+});
+
+
 
 module.factory('Application', function($resource) {
     return $resource('/auth/rest/admin/realms/:realm/applications/:application', {
diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-claims.html b/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-claims.html
index 72ba62f22f..2b2e34bf61 100755
--- a/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-claims.html
+++ b/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-claims.html
@@ -7,6 +7,7 @@
         <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/roles">Roles</a></li>
         <li class="active"><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/claims">Claims</a></li>
         <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/scope-mappings">Scope</a></li>
+        <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/revocation">Revocation</a></li>
     </ul>
     <div id="content">
         <ol class="breadcrumb" data-ng-hide="create">
diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-credentials.html b/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-credentials.html
index d7045ee8d6..e95bcc1178 100755
--- a/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-credentials.html
+++ b/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-credentials.html
@@ -7,6 +7,7 @@
         <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/roles">Roles</a></li>
         <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/claims">Claims</a></li>
         <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/scope-mappings">Scope</a></li>
+        <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/revocation">Revocation</a></li>
     </ul>
     <div id="content">
         <ol class="breadcrumb" data-ng-hide="create">
diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-detail.html b/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-detail.html
index 84e188cf16..d8b1dc4433 100755
--- a/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-detail.html
+++ b/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-detail.html
@@ -7,6 +7,7 @@
         <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/roles">Roles</a></li>
         <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/claims">Claims</a></li>
         <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/scope-mappings">Scope</a></li>
+        <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/revocation">Revocation</a></li>
     </ul>
     <div id="content">
         <ol class="breadcrumb" data-ng-show="create">
diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-installation.html b/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-installation.html
index e446a1cd37..2caaa81b48 100755
--- a/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-installation.html
+++ b/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-installation.html
@@ -8,6 +8,7 @@
         <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/roles">Roles</a></li>
         <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/claims">Claims</a></li>
         <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/scope-mappings">Scope</a></li>
+        <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/revocation">Revocation</a></li>
     </ul>
 
     <div class="top-nav" data-ng-show="create">
diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-revocation.html b/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-revocation.html
new file mode 100755
index 0000000000..8295782ac1
--- /dev/null
+++ b/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-revocation.html
@@ -0,0 +1,37 @@
+<div class="bs-sidebar col-md-3 clearfix" data-ng-include data-src="'partials/realm-menu.html'"></div>
+<div id="content-area" class="col-md-9" role="main">
+    <ul class="nav nav-tabs nav-tabs-pf"  data-ng-show="!create">
+        <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}">Settings</a></li>
+        <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/credentials">Credentials</a></li>
+        <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/installation">Installation</a></li>
+        <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/roles">Roles</a></li>
+        <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/claims">Claims</a></li>
+        <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/scope-mappings">Scope</a></li>
+        <li class="active"><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/revocation">Revocation</a></li>
+    </ul>
+    <div id="content">
+        <ol class="breadcrumb">
+            <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/">{{realm.realm}}</a></li>
+            <li class="active">Revocation</li>
+        </ol>
+        <h2 data-ng-hide="create"><span>{{application.name}}</span> Revocation Policies</h2>
+        <form class="form-horizontal" name="credentialForm" novalidate kc-read-only="!access.manageRealm">
+            <fieldset class="border-top">
+                <div class="form-group">
+                    <label class="col-sm-2 control-label" for="notBefore">Not Before</label>
+                    <div class="col-sm-4">
+                        <input ng-disabled="true" class="form-control" type="text" id="notBefore" name="notBefore" data-ng-model="notBefore" autofocus>
+                    </div>
+                </div>
+            </fieldset>
+            <div class="pull-right form-actions" data-ng-show="access.manageApplications">
+                <button type="submit" data-ng-click="clear()" class="btn btn-default btn-lg">Clear
+                </button>
+                <button type="submit" data-ng-click="setNotBeforeNow()" class="btn btn-primary btn-lg">Set To Now
+                </button>
+                <button type="submit" data-ng-click="pushRevocation()" class="btn btn-primary btn-lg">Push
+                </button>
+            </div>
+        </form>
+    </div>
+</div>
diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-role-detail.html b/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-role-detail.html
index 2e0f892a78..a7bae45fe2 100755
--- a/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-role-detail.html
+++ b/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-role-detail.html
@@ -7,6 +7,7 @@
         <li class="active"><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/roles">Roles</a></li>
         <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/claims">Claims</a></li>
         <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/scope-mappings">Scope</a></li>
+        <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/revocation">Revocation</a></li>
     </ul>
 
     <div id="content">
diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-role-list.html b/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-role-list.html
index 0bc76e786f..49329fef98 100755
--- a/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-role-list.html
+++ b/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-role-list.html
@@ -8,6 +8,7 @@
         <li class="active"><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/roles">Roles</a></li>
         <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/claims">Claims</a></li>
         <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/scope-mappings">Scope</a></li>
+        <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/revocation">Revocation</a></li>
     </ul>
 
     <div id="content">
diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-scope-mappings.html b/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-scope-mappings.html
index 64a755bf83..5be878c152 100755
--- a/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-scope-mappings.html
+++ b/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-scope-mappings.html
@@ -8,6 +8,7 @@
         <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/roles">Roles</a></li>
         <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/claims">Claims</a></li>
         <li class="active"><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/scope-mappings">Scope</a></li>
+        <li><a href="#/realms/{{realm.realm}}/applications/{{application.name}}/revocation">Revocation</a></li>
     </ul>
 
     <div id="content">
diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/partials/oauth-client-claims.html b/admin-ui/src/main/resources/META-INF/resources/admin/partials/oauth-client-claims.html
index 05bca000dc..57d1d7da10 100755
--- a/admin-ui/src/main/resources/META-INF/resources/admin/partials/oauth-client-claims.html
+++ b/admin-ui/src/main/resources/META-INF/resources/admin/partials/oauth-client-claims.html
@@ -6,6 +6,7 @@
         <li class="active"><a href="#/realms/{{realm.realm}}/oauth-clients/{{oauth.id}}/claims">Claims</a></li>
         <li><a href="#/realms/{{realm.realm}}/oauth-clients/{{oauth.id}}/scope-mappings">Scope</a></li>
         <li><a href="#/realms/{{realm.realm}}/oauth-clients/{{oauth.id}}/installation">Installation</a></li>
+        <li><a href="#/realms/{{realm.realm}}/oauth-clients/{{oauth.id}}/revocation">Revocation</a></li>
     </ul>
     <div id="content">
         <h2 data-ng-hide="create"><span>{{oauth.name}}</span> Allowed Claims</h2>
diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/partials/oauth-client-credentials.html b/admin-ui/src/main/resources/META-INF/resources/admin/partials/oauth-client-credentials.html
index 08ceee81ef..6c53c42dd2 100755
--- a/admin-ui/src/main/resources/META-INF/resources/admin/partials/oauth-client-credentials.html
+++ b/admin-ui/src/main/resources/META-INF/resources/admin/partials/oauth-client-credentials.html
@@ -6,6 +6,7 @@
         <li><a href="#/realms/{{realm.realm}}/oauth-clients/{{oauth.id}}/claims">Claims</a></li>
         <li><a href="#/realms/{{realm.realm}}/oauth-clients/{{oauth.id}}/scope-mappings">Scope</a></li>
         <li><a href="#/realms/{{realm.realm}}/oauth-clients/{{oauth.id}}/installation">Installation</a></li>
+        <li><a href="#/realms/{{realm.realm}}/oauth-clients/{{oauth.id}}/revocation">Revocation</a></li>
     </ul>
 
     <div id="content">
diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/partials/oauth-client-detail.html b/admin-ui/src/main/resources/META-INF/resources/admin/partials/oauth-client-detail.html
index 693041ffb5..5be853edde 100755
--- a/admin-ui/src/main/resources/META-INF/resources/admin/partials/oauth-client-detail.html
+++ b/admin-ui/src/main/resources/META-INF/resources/admin/partials/oauth-client-detail.html
@@ -6,6 +6,7 @@
         <li><a href="#/realms/{{realm.realm}}/oauth-clients/{{oauth.id}}/claims">Claims</a></li>
         <li><a href="#/realms/{{realm.realm}}/oauth-clients/{{oauth.id}}/scope-mappings">Scope</a></li>
         <li><a href="#/realms/{{realm.realm}}/oauth-clients/{{oauth.id}}/installation">Installation</a></li>
+        <li><a href="#/realms/{{realm.realm}}/oauth-clients/{{oauth.id}}/revocation">Revocation</a></li>
     </ul>
     <div id="content">
         <ol class="breadcrumb" data-ng-show="create">
diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/partials/oauth-client-installation.html b/admin-ui/src/main/resources/META-INF/resources/admin/partials/oauth-client-installation.html
index 14a4c503a2..28a4fa1bec 100755
--- a/admin-ui/src/main/resources/META-INF/resources/admin/partials/oauth-client-installation.html
+++ b/admin-ui/src/main/resources/META-INF/resources/admin/partials/oauth-client-installation.html
@@ -6,6 +6,7 @@
         <li><a href="#/realms/{{realm.realm}}/oauth-clients/{{oauth.id}}/claims">Claims</a></li>
         <li><a href="#/realms/{{realm.realm}}/oauth-clients/{{oauth.id}}/scope-mappings">Scope</a></li>
         <li class="active"><a href="#/realms/{{realm.realm}}/oauth-clients/{{oauth.id}}/installation">Installation</a></li>
+        <li><a href="#/realms/{{realm.realm}}/oauth-clients/{{oauth.id}}/revocation">Revocation</a></li>
     </ul>
     <div id="content">
         <h2>OAuth Client Installation</h2>
diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/partials/oauth-client-revocation.html b/admin-ui/src/main/resources/META-INF/resources/admin/partials/oauth-client-revocation.html
new file mode 100755
index 0000000000..26f38817c7
--- /dev/null
+++ b/admin-ui/src/main/resources/META-INF/resources/admin/partials/oauth-client-revocation.html
@@ -0,0 +1,36 @@
+<div class="bs-sidebar col-md-3 clearfix" data-ng-include data-src="'partials/realm-menu.html'"></div>
+<div id="content-area" class="col-md-9" role="main">
+    <ul class="nav nav-tabs nav-tabs-pf"  data-ng-show="!create">
+        <li><a href="#/realms/{{realm.realm}}/oauth-clients/{{oauth.id}}">Settings</a></li>
+        <li><a href="#/realms/{{realm.realm}}/oauth-clients/{{oauth.id}}/credentials">Credentials</a></li>
+        <li><a href="#/realms/{{realm.realm}}/oauth-clients/{{oauth.id}}/claims">Claims</a></li>
+        <li><a href="#/realms/{{realm.realm}}/oauth-clients/{{oauth.id}}/scope-mappings">Scope</a></li>
+        <li><a href="#/realms/{{realm.realm}}/oauth-clients/{{oauth.id}}/installation">Installation</a></li>
+        <li class="active"><a href="#/realms/{{realm.realm}}/oauth-clients/{{oauth.id}}/revocation">Revocation</a></li>
+    </ul>
+    <div id="content">
+        <ol class="breadcrumb">
+            <li><a href="#/realms/{{realm.realm}}/oauth-clients/{{oauth.id}}">{{oauth.name}}</a></li>
+            <li class="active">Revocation</li>
+        </ol>
+        <h2 data-ng-hide="create"><span>{{oauth.name}}</span> Revocation Policies</h2>
+        <form class="form-horizontal" name="credentialForm" novalidate kc-read-only="!access.manageRealm">
+            <fieldset class="border-top">
+                <div class="form-group">
+                    <label class="col-sm-2 control-label" for="notBefore">Not Before</label>
+                    <div class="col-sm-4">
+                        <input ng-disabled="true" class="form-control" type="text" id="notBefore" name="notBefore" data-ng-model="notBefore" autofocus>
+                    </div>
+                </div>
+            </fieldset>
+            <div class="pull-right form-actions" data-ng-show="access.manageApplications">
+                <button type="submit" data-ng-click="clear()" class="btn btn-default btn-lg">Clear
+                </button>
+                <button type="submit" data-ng-click="setNotBeforeNow()" class="btn btn-primary btn-lg">Set To Now
+                </button>
+                <button type="submit" data-ng-click="pushRevocation()" class="btn btn-primary btn-lg">Push
+                </button>
+            </div>
+        </form>
+    </div>
+</div>
diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/partials/oauth-client-scope-mappings.html b/admin-ui/src/main/resources/META-INF/resources/admin/partials/oauth-client-scope-mappings.html
index 72c4799b32..6c247b29d2 100755
--- a/admin-ui/src/main/resources/META-INF/resources/admin/partials/oauth-client-scope-mappings.html
+++ b/admin-ui/src/main/resources/META-INF/resources/admin/partials/oauth-client-scope-mappings.html
@@ -7,6 +7,7 @@
         <li><a href="#/realms/{{realm.realm}}/oauth-clients/{{oauth.id}}/claims">Claims</a></li>
         <li class="active"><a href="#/realms/{{realm.realm}}/oauth-clients/{{oauth.id}}/scope-mappings">Scope</a></li>
         <li><a href="#/realms/{{realm.realm}}/oauth-clients/{{oauth.id}}/installation">Installation</a></li>
+        <li><a href="#/realms/{{realm.realm}}/oauth-clients/{{oauth.id}}/revocation">Revocation</a></li>
     </ul>
 
     <div id="content">
diff --git a/core/src/main/java/org/keycloak/representations/idm/ApplicationRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/ApplicationRepresentation.java
index 695afefc9d..d065aa4a29 100755
--- a/core/src/main/java/org/keycloak/representations/idm/ApplicationRepresentation.java
+++ b/core/src/main/java/org/keycloak/representations/idm/ApplicationRepresentation.java
@@ -12,13 +12,15 @@ public class ApplicationRepresentation {
     protected String name;
     protected String adminUrl;
     protected String baseUrl;
-    protected boolean surrogateAuthRequired;
-    protected boolean enabled;
+    protected Boolean surrogateAuthRequired;
+    protected Boolean enabled;
     protected String secret;
     protected String[] defaultRoles;
     protected List<String> redirectUris;
     protected List<String> webOrigins;
     protected ClaimRepresentation claims;
+    protected Integer notBefore;
+
 
     public String getId() {
         return id;
@@ -36,19 +38,19 @@ public class ApplicationRepresentation {
         this.name = name;
     }
 
-    public boolean isEnabled() {
+    public Boolean isEnabled() {
         return enabled;
     }
 
-    public void setEnabled(boolean enabled) {
+    public void setEnabled(Boolean enabled) {
         this.enabled = enabled;
     }
 
-    public boolean isSurrogateAuthRequired() {
+    public Boolean isSurrogateAuthRequired() {
         return surrogateAuthRequired;
     }
 
-    public void setSurrogateAuthRequired(boolean surrogateAuthRequired) {
+    public void setSurrogateAuthRequired(Boolean surrogateAuthRequired) {
         this.surrogateAuthRequired = surrogateAuthRequired;
     }
 
@@ -107,4 +109,12 @@ public class ApplicationRepresentation {
     public void setClaims(ClaimRepresentation claims) {
         this.claims = claims;
     }
+
+    public Integer getNotBefore() {
+        return notBefore;
+    }
+
+    public void setNotBefore(Integer notBefore) {
+        this.notBefore = notBefore;
+    }
 }
diff --git a/core/src/main/java/org/keycloak/representations/idm/OAuthClientRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/OAuthClientRepresentation.java
index cbe3fb8732..5c9f035a7b 100755
--- a/core/src/main/java/org/keycloak/representations/idm/OAuthClientRepresentation.java
+++ b/core/src/main/java/org/keycloak/representations/idm/OAuthClientRepresentation.java
@@ -12,9 +12,11 @@ public class OAuthClientRepresentation {
     protected String baseUrl;
     protected List<String> redirectUris;
     protected List<String> webOrigins;
-    protected boolean enabled;
+    protected Boolean enabled;
     protected String secret;
     protected ClaimRepresentation claims;
+    protected Integer notBefore;
+
 
     public String getId() {
         return id;
@@ -32,11 +34,11 @@ public class OAuthClientRepresentation {
         this.name = name;
     }
 
-    public boolean isEnabled() {
+    public Boolean isEnabled() {
         return enabled;
     }
 
-    public void setEnabled(boolean enabled) {
+    public void setEnabled(Boolean enabled) {
         this.enabled = enabled;
     }
 
@@ -79,4 +81,12 @@ public class OAuthClientRepresentation {
     public void setClaims(ClaimRepresentation claims) {
         this.claims = claims;
     }
+
+    public Integer getNotBefore() {
+        return notBefore;
+    }
+
+    public void setNotBefore(Integer notBefore) {
+        this.notBefore = notBefore;
+    }
 }
diff --git a/model/api/src/main/java/org/keycloak/models/ClientModel.java b/model/api/src/main/java/org/keycloak/models/ClientModel.java
index 46a71031dd..d9159d35de 100755
--- a/model/api/src/main/java/org/keycloak/models/ClientModel.java
+++ b/model/api/src/main/java/org/keycloak/models/ClientModel.java
@@ -51,4 +51,14 @@ public interface ClientModel {
     public void setSecret(String secret);
 
     RealmModel getRealm();
+
+    /**
+     * Time in seconds since epoc
+     *
+     * @return
+     */
+    int getNotBefore();
+
+    void setNotBefore(int notBefore);
+
 }
diff --git a/model/api/src/main/java/org/keycloak/models/OAuthClientModel.java b/model/api/src/main/java/org/keycloak/models/OAuthClientModel.java
index e5e828416c..9f12728379 100755
--- a/model/api/src/main/java/org/keycloak/models/OAuthClientModel.java
+++ b/model/api/src/main/java/org/keycloak/models/OAuthClientModel.java
@@ -5,5 +5,6 @@ package org.keycloak.models;
  * @version $Revision: 1 $
  */
 public interface OAuthClientModel extends ClientModel {
+    void setClientId(String id);
 
 }
diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/ClientAdapter.java b/model/jpa/src/main/java/org/keycloak/models/jpa/ClientAdapter.java
index 7dcd3d9232..ed8a6b5d29 100755
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/ClientAdapter.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/ClientAdapter.java
@@ -119,6 +119,16 @@ public class ClientAdapter implements ClientModel {
         return secret.equals(entity.getSecret());
     }
 
+    @Override
+    public int getNotBefore() {
+        return entity.getNotBefore();
+    }
+
+    @Override
+    public void setNotBefore(int notBefore) {
+        entity.setNotBefore(notBefore);
+    }
+
     @Override
     public boolean equals(Object o) {
         if (this == o) return true;
diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/OAuthClientAdapter.java b/model/jpa/src/main/java/org/keycloak/models/jpa/OAuthClientAdapter.java
index 29d643d084..1ae4a3dd31 100755
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/OAuthClientAdapter.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/OAuthClientAdapter.java
@@ -18,5 +18,8 @@ public class OAuthClientAdapter extends ClientAdapter implements OAuthClientMode
         super(realm, entity);
     }
 
-
+    @Override
+    public void setClientId(String id) {
+        entity.setName(id);
+    }
 }
diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/ClientEntity.java b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/ClientEntity.java
index 8d56d90e24..c9f27b6957 100755
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/ClientEntity.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/ClientEntity.java
@@ -31,6 +31,7 @@ public class ClientEntity {
     private boolean enabled;
     private String secret;
     private long allowedClaimsMask;
+    private int notBefore;
 
 
     @ElementCollection
@@ -92,4 +93,12 @@ public class ClientEntity {
     public void setSecret(String secret) {
         this.secret = secret;
     }
+
+    public int getNotBefore() {
+        return notBefore;
+    }
+
+    public void setNotBefore(int notBefore) {
+        this.notBefore = notBefore;
+    }
 }
diff --git a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/ApplicationAdapter.java b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/ApplicationAdapter.java
index 07c535f124..d023b2a279 100755
--- a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/ApplicationAdapter.java
+++ b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/ApplicationAdapter.java
@@ -113,6 +113,15 @@ public class ApplicationAdapter extends AbstractAdapter implements ApplicationMo
         application.setAllowedClaimsMask(mask);
     }
 
+    @Override
+    public int getNotBefore() {
+        return application.getNotBefore();
+    }
+
+    @Override
+    public void setNotBefore(int notBefore) {
+        application.setNotBefore(notBefore);
+    }
 
     @Override
     public RoleAdapter getRole(String name) {
diff --git a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/OAuthClientAdapter.java b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/OAuthClientAdapter.java
index 32a877d141..b1bc63e002 100755
--- a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/OAuthClientAdapter.java
+++ b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/OAuthClientAdapter.java
@@ -37,6 +37,11 @@ public class OAuthClientAdapter extends AbstractAdapter implements OAuthClientMo
         return delegate.getName();
     }
 
+    @Override
+    public void setClientId(String id) {
+        delegate.setName(id);
+    }
+
     @Override
     public RealmModel getRealm() {
         return realm;
@@ -67,6 +72,16 @@ public class OAuthClientAdapter extends AbstractAdapter implements OAuthClientMo
         return delegate;
     }
 
+    @Override
+    public int getNotBefore() {
+        return delegate.getNotBefore();
+    }
+
+    @Override
+    public void setNotBefore(int notBefore) {
+        delegate.setNotBefore(notBefore);
+    }
+
     @Override
     public Set<String> getWebOrigins() {
         Set<String> result = new HashSet<String>();
diff --git a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/ApplicationEntity.java b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/ApplicationEntity.java
index 60f166745c..75c921a5b2 100755
--- a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/ApplicationEntity.java
+++ b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/ApplicationEntity.java
@@ -23,6 +23,7 @@ public class ApplicationEntity extends AbstractMongoIdentifiableEntity implement
     private String managementUrl;
     private String baseUrl;
     private String secret;
+    private int notBefore;
 
     private String realmId;
     private long allowedClaimsMask;
@@ -146,6 +147,15 @@ public class ApplicationEntity extends AbstractMongoIdentifiableEntity implement
         this.defaultRoles = defaultRoles;
     }
 
+    @MongoField
+    public int getNotBefore() {
+        return notBefore;
+    }
+
+    public void setNotBefore(int notBefore) {
+        this.notBefore = notBefore;
+    }
+
     @Override
     public void afterRemove(MongoStoreInvocationContext context) {
         // Remove all roles, which belongs to this application
diff --git a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/OAuthClientEntity.java b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/OAuthClientEntity.java
index 9ef85a324c..41295efe6d 100755
--- a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/OAuthClientEntity.java
+++ b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/OAuthClientEntity.java
@@ -19,6 +19,7 @@ public class OAuthClientEntity extends AbstractMongoIdentifiableEntity implement
     private String realmId;
     private String secret;
     private long allowedClaimsMask;
+    private int notBefore;
     private List<String> scopeIds;
     private List<String> webOrigins;
     private List<String> redirectUris;
@@ -96,8 +97,14 @@ public class OAuthClientEntity extends AbstractMongoIdentifiableEntity implement
         this.scopeIds = scopeIds;
     }
 
+    @MongoField
+    public int getNotBefore() {
+        return notBefore;
+    }
 
-
+    public void setNotBefore(int notBefore) {
+        this.notBefore = notBefore;
+    }
 
     @Override
     public void afterRemove(MongoStoreInvocationContext context) {
diff --git a/services/src/main/java/org/keycloak/services/managers/ApplicationManager.java b/services/src/main/java/org/keycloak/services/managers/ApplicationManager.java
index c4a7f4ff09..e957492bd6 100755
--- a/services/src/main/java/org/keycloak/services/managers/ApplicationManager.java
+++ b/services/src/main/java/org/keycloak/services/managers/ApplicationManager.java
@@ -52,12 +52,16 @@ public class ApplicationManager {
     public ApplicationModel createApplication(RealmModel realm, ApplicationRepresentation resourceRep) {
         logger.debug("************ CREATE APPLICATION: {0}" + resourceRep.getName());
         ApplicationModel applicationModel = realm.addApplication(resourceRep.getName());
-        applicationModel.setEnabled(resourceRep.isEnabled());
+        if (resourceRep.isEnabled() != null) applicationModel.setEnabled(resourceRep.isEnabled());
         applicationModel.setManagementUrl(resourceRep.getAdminUrl());
-        applicationModel.setSurrogateAuthRequired(resourceRep.isSurrogateAuthRequired());
+        if (resourceRep.isSurrogateAuthRequired() != null) applicationModel.setSurrogateAuthRequired(resourceRep.isSurrogateAuthRequired());
         applicationModel.setBaseUrl(resourceRep.getBaseUrl());
         applicationModel.updateApplication();
 
+        if (resourceRep.getNotBefore() != null) {
+            applicationModel.setNotBefore(resourceRep.getNotBefore());
+        }
+
         applicationModel.setSecret(resourceRep.getSecret());
         if (applicationModel.getSecret() == null) {
             generateSecret(applicationModel);
@@ -132,13 +136,16 @@ public class ApplicationManager {
     }
 
     public void updateApplication(ApplicationRepresentation rep, ApplicationModel resource) {
-        resource.setName(rep.getName());
-        resource.setEnabled(rep.isEnabled());
-        resource.setManagementUrl(rep.getAdminUrl());
-        resource.setBaseUrl(rep.getBaseUrl());
-        resource.setSurrogateAuthRequired(rep.isSurrogateAuthRequired());
+        if (rep.getName() != null) resource.setName(rep.getName());
+        if (rep.isEnabled() != null) resource.setEnabled(rep.isEnabled());
+        if (rep.getAdminUrl() != null) resource.setManagementUrl(rep.getAdminUrl());
+        if (rep.getBaseUrl() != null) resource.setBaseUrl(rep.getBaseUrl());
+        if (rep.isSurrogateAuthRequired() != null) resource.setSurrogateAuthRequired(rep.isSurrogateAuthRequired());
         resource.updateApplication();
 
+        if (rep.getNotBefore() != null) {
+            resource.setNotBefore(rep.getNotBefore());
+        }
         if (rep.getDefaultRoles() != null) {
             resource.updateDefaultRoles(rep.getDefaultRoles());
         }
@@ -166,6 +173,7 @@ public class ApplicationManager {
         rep.setAdminUrl(applicationModel.getManagementUrl());
         rep.setSurrogateAuthRequired(applicationModel.isSurrogateAuthRequired());
         rep.setBaseUrl(applicationModel.getBaseUrl());
+        rep.setNotBefore(applicationModel.getNotBefore());
 
         Set<String> redirectUris = applicationModel.getRedirectUris();
         if (redirectUris != null) {
diff --git a/services/src/main/java/org/keycloak/services/managers/OAuthClientManager.java b/services/src/main/java/org/keycloak/services/managers/OAuthClientManager.java
index 7ed6f05f7c..92b03fc8a1 100755
--- a/services/src/main/java/org/keycloak/services/managers/OAuthClientManager.java
+++ b/services/src/main/java/org/keycloak/services/managers/OAuthClientManager.java
@@ -52,11 +52,16 @@ public class OAuthClientManager {
         if (rep.getClaims() != null) {
             ClaimManager.setClaims(model, rep.getClaims());
         }
+        if (rep.getNotBefore() != null) {
+            model.setNotBefore(rep.getNotBefore());
+        }
         return model;
     }
 
-    public void update(OAuthClientRepresentation rep, OAuthClientModel model) {
-        model.setEnabled(rep.isEnabled());
+    public void update(OAuthClientRepresentation rep, OAuthClientModel model)
+    {
+        if (rep.getName() != null) model.setClientId(rep.getName());
+        if (rep.isEnabled() != null) model.setEnabled(rep.isEnabled());
         List<String> redirectUris = rep.getRedirectUris();
         if (redirectUris != null) {
             model.setRedirectUris(new HashSet<String>(redirectUris));
@@ -70,6 +75,11 @@ public class OAuthClientManager {
         if (rep.getClaims() != null) {
             ClaimManager.setClaims(model, rep.getClaims());
         }
+
+        if (rep.getNotBefore() != null) {
+            model.setNotBefore(rep.getNotBefore());
+        }
+
     }
 
     public static OAuthClientRepresentation toRepresentation(OAuthClientModel model) {
@@ -86,6 +96,7 @@ public class OAuthClientManager {
         if (webOrigins != null) {
             rep.setWebOrigins(new LinkedList<String>(webOrigins));
         }
+        rep.setNotBefore(model.getNotBefore());
         return rep;
     }
 
diff --git a/services/src/main/java/org/keycloak/services/managers/RealmManager.java b/services/src/main/java/org/keycloak/services/managers/RealmManager.java
index cb36d25b22..53e3c0bebc 100755
--- a/services/src/main/java/org/keycloak/services/managers/RealmManager.java
+++ b/services/src/main/java/org/keycloak/services/managers/RealmManager.java
@@ -106,7 +106,6 @@ public class RealmManager {
 
     public void updateRealm(RealmRepresentation rep, RealmModel realm) {
         if (rep.getRealm() != null) {
-            logger.info("Updating realm name to " + rep.getRealm());
             realm.setName(rep.getRealm());
         }
         if (rep.isEnabled() != null) realm.setEnabled(rep.isEnabled());
@@ -128,10 +127,10 @@ public class RealmManager {
         if (rep.getRequiredCredentials() != null) {
             realm.updateRequiredCredentials(rep.getRequiredCredentials());
         }
-        realm.setLoginTheme(rep.getLoginTheme());
-        realm.setAccountTheme(rep.getAccountTheme());
+        if (rep.getLoginTheme() != null) realm.setLoginTheme(rep.getLoginTheme());
+        if (rep.getAccountTheme() != null) realm.setAccountTheme(rep.getAccountTheme());
 
-        realm.setPasswordPolicy(new PasswordPolicy(rep.getPasswordPolicy()));
+        if (rep.getPasswordPolicy() != null) realm.setPasswordPolicy(new PasswordPolicy(rep.getPasswordPolicy()));
 
         if (rep.getDefaultRoles() != null) {
             realm.updateDefaultRoles(rep.getDefaultRoles().toArray(new String[rep.getDefaultRoles().size()]));
@@ -232,8 +231,8 @@ public class RealmManager {
             newRealm.setPrivateKeyPem(rep.getPrivateKey());
             newRealm.setPublicKeyPem(rep.getPublicKey());
         }
-        newRealm.setLoginTheme(rep.getLoginTheme());
-        newRealm.setAccountTheme(rep.getAccountTheme());
+        if (rep.getLoginTheme() != null) newRealm.setLoginTheme(rep.getLoginTheme());
+        if (rep.getAccountTheme() != null) newRealm.setAccountTheme(rep.getAccountTheme());
 
         Map<String, UserModel> userMap = new HashMap<String, UserModel>();
 
@@ -245,7 +244,7 @@ public class RealmManager {
             addRequiredCredential(newRealm, CredentialRepresentation.PASSWORD);
         }
 
-        newRealm.setPasswordPolicy(new PasswordPolicy(rep.getPasswordPolicy()));
+        if (rep.getPasswordPolicy() != null) newRealm.setPasswordPolicy(new PasswordPolicy(rep.getPasswordPolicy()));
 
         if (rep.getUsers() != null) {
             for (UserRepresentation userRep : rep.getUsers()) {
diff --git a/services/src/main/java/org/keycloak/services/managers/ResourceAdminManager.java b/services/src/main/java/org/keycloak/services/managers/ResourceAdminManager.java
index 919cd7b861..f800381b0e 100755
--- a/services/src/main/java/org/keycloak/services/managers/ResourceAdminManager.java
+++ b/services/src/main/java/org/keycloak/services/managers/ResourceAdminManager.java
@@ -54,25 +54,38 @@ public class ResourceAdminManager {
         }
     }
 
-    public void pushRevocationPolicies(RealmModel realm) {
+    public void pushRealmRevocationPolicy(RealmModel realm) {
         ResteasyClient client = new ResteasyClientBuilder()
                 .disableTrustManager() // todo fix this, should have a trust manager or a good default
                 .build();
 
         try {
             for (ApplicationModel application : realm.getApplications()) {
-                pushRevocationPolicies(realm, application, client);
+                pushRevocationPolicy(realm, application, realm.getNotBefore(), client);
             }
         } finally {
             client.close();
         }
     }
 
-    public boolean pushRevocationPolicies(RealmModel realm, ApplicationModel resource, ResteasyClient client) {
+    public void pushApplicationRevocationPolicy(RealmModel realm, ApplicationModel application) {
+        ResteasyClient client = new ResteasyClientBuilder()
+                .disableTrustManager() // todo fix this, should have a trust manager or a good default
+                .build();
+
+        try {
+            pushRevocationPolicy(realm, application, application.getNotBefore(), client);
+        } finally {
+            client.close();
+        }
+    }
+
+
+    protected boolean pushRevocationPolicy(RealmModel realm, ApplicationModel resource, int notBefore, ResteasyClient client) {
         if (realm.getNotBefore() <= 0) return false;
         String managementUrl = resource.getManagementUrl();
         if (managementUrl != null) {
-            PushNotBeforeAction adminAction = new PushNotBeforeAction(TokenIdGenerator.generateId(), (int)(System.currentTimeMillis() / 1000) + 30, resource.getName(), realm.getNotBefore());
+            PushNotBeforeAction adminAction = new PushNotBeforeAction(TokenIdGenerator.generateId(), (int)(System.currentTimeMillis() / 1000) + 30, resource.getName(), notBefore);
             String token = new TokenManager().encodeToken(realm, adminAction);
             logger.info("pushRevocation resource: {0} url: {1}", resource.getName(), managementUrl);
             Response response = client.target(managementUrl).path(AdapterConstants.K_PUSH_NOT_BEFORE).request().post(Entity.text(token));
diff --git a/services/src/main/java/org/keycloak/services/managers/TokenManager.java b/services/src/main/java/org/keycloak/services/managers/TokenManager.java
index ec0c267521..44689c2c3a 100755
--- a/services/src/main/java/org/keycloak/services/managers/TokenManager.java
+++ b/services/src/main/java/org/keycloak/services/managers/TokenManager.java
@@ -146,6 +146,15 @@ public class TokenManager {
 
         }
 
+        if (!client.getClientId().equals(refreshToken.getIssuedFor())) {
+            throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Unmatching clients", "Unmatching clients");
+
+        }
+
+        if (refreshToken.getIssuedAt() < client.getNotBefore()) {
+            throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale refresh token");
+        }
+
         ApplicationModel clientApp = (client instanceof ApplicationModel) ? (ApplicationModel)client : null;
 
 
@@ -195,13 +204,6 @@ public class TokenManager {
         return createClientAccessToken(scopeParam, realm, client, user, new LinkedList<RoleModel>(), new MultivaluedHashMap<String, RoleModel>());
     }
 
-    protected ClientModel getClaimRequester(RealmModel realm, UserModel client) {
-        ClientModel model = realm.getApplicationByName(client.getLoginName());
-        if (model != null) return model;
-        return realm.getOAuthClient(client.getLoginName());
-    }
-
-
     public AccessToken createClientAccessToken(String scopeParam, RealmModel realm, ClientModel client, UserModel user, List<RoleModel> realmRolesRequested, MultivaluedMap<String, RoleModel> resourceRolesRequested) {
         AccessScope scopeMap = null;
         if (scopeParam != null) scopeMap = decodeScope(scopeParam);
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/ApplicationResource.java b/services/src/main/java/org/keycloak/services/resources/admin/ApplicationResource.java
index 2477c40c23..db4dd126a9 100755
--- a/services/src/main/java/org/keycloak/services/resources/admin/ApplicationResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/ApplicationResource.java
@@ -11,6 +11,7 @@ import org.keycloak.representations.idm.CredentialRepresentation;
 import org.keycloak.services.managers.ApplicationManager;
 import org.keycloak.services.managers.ModelToRepresentation;
 import org.keycloak.services.managers.RealmManager;
+import org.keycloak.services.managers.ResourceAdminManager;
 import org.keycloak.services.resources.KeycloakApplication;
 import org.keycloak.util.JsonSerialization;
 
@@ -185,6 +186,14 @@ public class ApplicationResource {
         }
     }
 
+    @Path("push-revocation")
+    @POST
+    public void pushRevocation() {
+        auth.requireManage();
+        new ResourceAdminManager().pushApplicationRevocationPolicy(realm, application);
+    }
+
+
 
 
 }
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java b/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java
index da4054a803..0a8996903b 100755
--- a/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java
@@ -2,12 +2,9 @@ package org.keycloak.services.resources.admin;
 
 import org.jboss.resteasy.annotations.cache.NoCache;
 import org.jboss.resteasy.logging.Logger;
-import org.keycloak.models.AdminRoles;
-import org.keycloak.models.ApplicationModel;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.representations.idm.RealmRepresentation;
-import org.keycloak.services.managers.Auth;
 import org.keycloak.services.managers.ModelToRepresentation;
 import org.keycloak.services.managers.RealmManager;
 import org.keycloak.services.managers.ResourceAdminManager;
@@ -112,7 +109,7 @@ public class RealmAdminResource {
     @POST
     public void pushRevocation() {
         auth.requireManage();
-        new ResourceAdminManager().pushRevocationPolicies(realm);
+        new ResourceAdminManager().pushRealmRevocationPolicy(realm);
     }
 
 }