[keycloak-user] logout workflow

Fri Aug 15 09:07:32 EDT 2014

I really don't know anything about Errai.  I don't know what 
"KeycloakAuthenticationService" class is.  There is not one in our codebase.

Logout requires a *browser* redirect back to the auth server's logout URL:

GET /realms/{name}/tokens/logout?redirect_uri={encodedURI}

Sounds like you are not doing this.  What is probably happening is that 
you are invalidating the session of your Web application, you are being 
redirected to Keycloak because the web app has been logged out, keycloak 
sees that you are already logged in (via the cookie the auth server 
sends), creates a new token, then redirects you back.

You can also make a background REST invocation to:

GET /realms/{name}/tokens/logout?session_state={session_state}

And this will logout the SSO session.  This background REST API has been 
removed in master though.  In RC1, this background REST invocation 
requires you to authenticate by sending a refresh token to logout the 
SSO session.

POST /realms/{name}/tokens/logout
Content-Type: application/x-www-formencoded-whatever

refresh_token=2341234h2134l1kj241234

Hope that helps.  Other than that, dont' know much about Errai and 
really can't help you.

On 8/15/2014 2:45 AM, Graeme Collis wrote:
> I am writing an application that uses Errai and Keycloak.
>
> I am able to login successfully and get all my user details and roles.
>
> When I logout, I call the authenticationService to logout and then
> redirect to login url.
>
> The issue with this is then the login page is not shown, the filters
> somehow pick up that the user is cached and re-authenticates with the
> same user and comes straight back into the app.
>
> When I logout the following is called:-
>
> *public**void*logout() {
>
>        securityContext.invalidateCache();
>
> authService.call( *new*RemoteCallback<Void>() {
>
> @Override
>
> *public**void*callback( Void response ) {
>
> /redirect/( GWT./getHostPageBaseURL/() + "app-login");
>
>            }
>
>        }, *new*BusErrorCallback() {
>
> @Override
>
> *public**boolean*error( Message message, Throwable throwable ) {
>
>                Window./alert/( "Logout failed: "+ throwable );
>
> *return**true*;
>
>            }
>
>        } ).logout();
>
>    }
>
> Under the covers the logout calls the
> KeycloakAthenticationService.logout(). Following through in debug all
> this does is set the securityContext to null.
>
> I added the invalidateCache as an attempt to clear the cache but that
> did not work. I think I’m just not understanding the flow.
>
> I have a GWT module page(/provider-ui.html) which is the only page of
> the app.
>
> I have a /app-login URL which is used by the filters to redirect to
> Keycloak and redirect back to the GWT page after authentication.
>
> My web.xml looks like this:-
>
> <filter>
>
> <filter-name>ErraiLoginRedirectFilter</filter-name>
>
> <init-param>
>
> <param-name>redirectLocation</param-name>
>
> <param-value>/provider-ui.html</param-value>
>
> </init-param>
>
> </filter>
>
> <filter-mapping>
>
> <filter-name>ErraiLoginRedirectFilter</filter-name>
>
> <url-pattern>/_app_-login</url-pattern>
>
> </filter-mapping>
>
> <filter-mapping>
>
> <filter-name>_ErraiUserCookieFilter_</filter-name>
>
> <url-pattern>/provider-ui.html</url-pattern>
>
> </filter-mapping>
>
> <security-constraint>
>
> <web-resource-collection>
>
> <web-resource-name>Login</web-resource-name>
>
> <url-pattern>/_app_-login</url-pattern>
>
> </web-resource-collection>
>
> <auth-constraint>
>
> <role-name>*</role-name>
>
> </auth-constraint>
>
> </security-constraint>
>
> <login-config>
>
> <auth-method>KEYCLOAK</auth-method>
>
> <realm-name>_demo_</realm-name>
>
> </login-config>
>
> <security-role>
>
> <role-name>user</role-name>
>
> </security-role>
>
> <security-role>
>
> <role-name>_admin_</role-name>
>
> </security-role>
>
> Any pointers of the direction I should take to solve this?
>
> Thanks, Graeme
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com