[keycloak-user] logout workflow

Graeme Collis gcollis at iinet.net.au
Wed Aug 20 00:08:49 EDT 2014 

Bill,

I have found a workaround for my issue and will bring it up on the Errai site but just to help if others hit this.

I found out that the redirect to Keycloak login did not go through after logout (ie essentially let you stratight back into the app) because the jsessionid Cookie has been set somewhere and not cleared on the methods that call logout. I haven't yet traced it all the way through to find out where it is set so where it should be unset.

My workaround is to remove the Cookie after I logout from Keycloak and before I redirect to a logged out page.

Because Errai is using GWT I can use :-
		String sessionId = Cookies.getCookie("JSESSIONID");
		if ( sessionId != null ) {
			Cookies.setCookie("JSESSIONID", sessionId, new Date());
		}

Regards, Graeme


-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke
Sent: Friday, 15 August 2014 11:08 PM
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] logout workflow

I really don't know anything about Errai.  I don't know what "KeycloakAuthenticationService" class is.  There is not one in our codebase.

Logout requires a *browser* redirect back to the auth server's logout URL:

GET /realms/{name}/tokens/logout?redirect_uri={encodedURI}

Sounds like you are not doing this.  What is probably happening is that you are invalidating the session of your Web application, you are being redirected to Keycloak because the web app has been logged out, keycloak sees that you are already logged in (via the cookie the auth server sends), creates a new token, then redirects you back.

You can also make a background REST invocation to:

GET /realms/{name}/tokens/logout?session_state={session_state}

And this will logout the SSO session.  This background REST API has been removed in master though.  In RC1, this background REST invocation requires you to authenticate by sending a refresh token to logout the SSO session.

POST /realms/{name}/tokens/logout
Content-Type: application/x-www-formencoded-whatever

refresh_token=2341234h2134l1kj241234

Hope that helps.  Other than that, dont' know much about Errai and really can't help you.



On 8/15/2014 2:45 AM, Graeme Collis wrote:
> I am writing an application that uses Errai and Keycloak.
>
> I am able to login successfully and get all my user details and roles.
>
> When I logout, I call the authenticationService to logout and then
> redirect to login url.
>
> The issue with this is then the login page is not shown, the filters
> somehow pick up that the user is cached and re-authenticates with the
> same user and comes straight back into the app.
>
> When I logout the following is called:-
>
> *public**void*logout() {
>
>        securityContext.invalidateCache();
>
> authService.call( *new*RemoteCallback<Void>() {
>
> @Override
>
> *public**void*callback( Void response ) {
>
> /redirect/( GWT./getHostPageBaseURL/() + "app-login");
>
>            }
>
>        }, *new*BusErrorCallback() {
>
> @Override
>
> *public**boolean*error( Message message, Throwable throwable ) {
>
>                Window./alert/( "Logout failed: "+ throwable );
>
> *return**true*;
>
>            }
>
>        } ).logout();
>
>    }
>
> Under the covers the logout calls the
> KeycloakAthenticationService.logout(). Following through in debug all
> this does is set the securityContext to null.
>
> I added the invalidateCache as an attempt to clear the cache but that
> did not work. I think I'm just not understanding the flow.
>
> I have a GWT module page(/provider-ui.html) which is the only page of
> the app.
>
> I have a /app-login URL which is used by the filters to redirect to
> Keycloak and redirect back to the GWT page after authentication.
>
> My web.xml looks like this:-
>
> <filter>
>
> <filter-name>ErraiLoginRedirectFilter</filter-name>
>
> <init-param>
>
> <param-name>redirectLocation</param-name>
>
> <param-value>/provider-ui.html</param-value>
>
> </init-param>
>
> </filter>
>
> <filter-mapping>
>
> <filter-name>ErraiLoginRedirectFilter</filter-name>
>
> <url-pattern>/_app_-login</url-pattern>
>
> </filter-mapping>
>
> <filter-mapping>
>
> <filter-name>_ErraiUserCookieFilter_</filter-name>
>
> <url-pattern>/provider-ui.html</url-pattern>
>
> </filter-mapping>
>
> <security-constraint>
>
> <web-resource-collection>
>
> <web-resource-name>Login</web-resource-name>
>
> <url-pattern>/_app_-login</url-pattern>
>
> </web-resource-collection>
>
> <auth-constraint>
>
> <role-name>*</role-name>
>
> </auth-constraint>
>
> </security-constraint>
>
> <login-config>
>
> <auth-method>KEYCLOAK</auth-method>
>
> <realm-name>_demo_</realm-name>
>
> </login-config>
>
> <security-role>
>
> <role-name>user</role-name>
>
> </security-role>
>
> <security-role>
>
> <role-name>_admin_</role-name>
>
> </security-role>
>
> Any pointers of the direction I should take to solve this?
>
> Thanks, Graeme
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list