[keycloak-user] Admin url for bearer-only applications
Stian Thorgersen
stian at redhat.com
Fri Sep 12 07:12:21 EDT 2014
The admin URL is also used for other things as well, one which can be useful for bearer-only applications is pushing a not-before time (effectively invalidating any tokens generated prior to a specified time).
----- Original Message -----
> From: "Alarik Myrin" <alarik at zwift.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, 12 September, 2014 1:04:39 PM
> Subject: Re: [keycloak-user] Admin url for bearer-only applications
>
> Thanks Stain.
>
> Then what is the purpose of the Admin URL when setting up the bearer-only
> application in the console? Perhaps it should be removed?
>
> Or is there some way that the bearer-only application could still maintain
> a "has-logged-out" list (which is would find out about via the admin-url
> against which to validate a token? Perhaps using timestamps, which
> presumably is how the token lifespan stuff is checked too?
>
>
>
> On Fri, Sep 12, 2014 at 5:23 AM, Stian Thorgersen <stian at redhat.com> wrote:
>
> > Bearer-only applications doesn't manage user sessions, they simply
> > authenticate based on the token in the request.
> >
> > When a user logs out, the applications where a user has directly logged in
> > to (confidential or public) should drop the user session. Confidential apps
> > do this with the request from the server which will in turn invalidate the
> > session in the app. Public apps (using keycloak.js) does this by detecting
> > the logout from the session iframe.
> >
> > You should obviously also have a short "Access Token Lifespan" configured
> > for your realm, this makes sure that any tokens are quickly expired after a
> > logout. As the user session is invalidated on the server, any associated
> > refresh tokens will be expired as well, so it won't be possible for an app
> > to retrieve a new token after the user has logged out.
> >
> > ----- Original Message -----
> > > From: "Alarik Myrin" <alarik at zwift.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Thursday, 11 September, 2014 8:52:50 PM
> > > Subject: [keycloak-user] Admin url for bearer-only applications
> > >
> > > I am not sure the Admin url is working for bearer-only applications, at
> > least
> > > not on Wildfly.
> > >
> > > I have set the admin url for my bearer-only applications just like I do
> > for
> > > my confidential applications. In both cases (they are both war file
> > > deployments running in Wildfly 8.0.0 Final) it is the context-root of the
> > > war file. When I log out the sessions from the keycloak admin console,
> > the
> > > confidential applications hear about the logout, and will respond with a
> > > redirect, but the bearer-only reply with the protected resource instead
> > of
> > > responding with a 401 like I would expect.
> > >
> > > Is anyone else having trouble with this? There are no bearer-only
> > resources
> > > in the preconfigured-demo realm file to check against...
> > >
> > > BTW, I just verified that this was happening with Keycloak 1.0-final.
> > >
> > > Thanks,
> > >
> > > Alarik
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
More information about the keycloak-user
mailing list