[keycloak-user] Admin url for bearer-only applications
Alarik Myrin
alarik at zwift.com
Fri Sep 12 07:04:39 EDT 2014
Thanks Stain.
Then what is the purpose of the Admin URL when setting up the bearer-only
application in the console? Perhaps it should be removed?
Or is there some way that the bearer-only application could still maintain
a "has-logged-out" list (which is would find out about via the admin-url
against which to validate a token? Perhaps using timestamps, which
presumably is how the token lifespan stuff is checked too?
On Fri, Sep 12, 2014 at 5:23 AM, Stian Thorgersen <stian at redhat.com> wrote:
> Bearer-only applications doesn't manage user sessions, they simply
> authenticate based on the token in the request.
>
> When a user logs out, the applications where a user has directly logged in
> to (confidential or public) should drop the user session. Confidential apps
> do this with the request from the server which will in turn invalidate the
> session in the app. Public apps (using keycloak.js) does this by detecting
> the logout from the session iframe.
>
> You should obviously also have a short "Access Token Lifespan" configured
> for your realm, this makes sure that any tokens are quickly expired after a
> logout. As the user session is invalidated on the server, any associated
> refresh tokens will be expired as well, so it won't be possible for an app
> to retrieve a new token after the user has logged out.
>
> ----- Original Message -----
> > From: "Alarik Myrin" <alarik at zwift.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Thursday, 11 September, 2014 8:52:50 PM
> > Subject: [keycloak-user] Admin url for bearer-only applications
> >
> > I am not sure the Admin url is working for bearer-only applications, at
> least
> > not on Wildfly.
> >
> > I have set the admin url for my bearer-only applications just like I do
> for
> > my confidential applications. In both cases (they are both war file
> > deployments running in Wildfly 8.0.0 Final) it is the context-root of the
> > war file. When I log out the sessions from the keycloak admin console,
> the
> > confidential applications hear about the logout, and will respond with a
> > redirect, but the bearer-only reply with the protected resource instead
> of
> > responding with a 401 like I would expect.
> >
> > Is anyone else having trouble with this? There are no bearer-only
> resources
> > in the preconfigured-demo realm file to check against...
> >
> > BTW, I just verified that this was happening with Keycloak 1.0-final.
> >
> > Thanks,
> >
> > Alarik
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140912/4875e11f/attachment.html
More information about the keycloak-user
mailing list