[keycloak-user] Admin url for bearer-only applications
Alarik Myrin
alarik at zwift.com
Fri Sep 12 07:18:40 EDT 2014
OK, thanks for the clarification.
On Fri, Sep 12, 2014 at 7:12 AM, Stian Thorgersen <stian at redhat.com> wrote:
> The admin URL is also used for other things as well, one which can be
> useful for bearer-only applications is pushing a not-before time
> (effectively invalidating any tokens generated prior to a specified time).
>
> ----- Original Message -----
> > From: "Alarik Myrin" <alarik at zwift.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Friday, 12 September, 2014 1:04:39 PM
> > Subject: Re: [keycloak-user] Admin url for bearer-only applications
> >
> > Thanks Stain.
> >
> > Then what is the purpose of the Admin URL when setting up the bearer-only
> > application in the console? Perhaps it should be removed?
> >
> > Or is there some way that the bearer-only application could still
> maintain
> > a "has-logged-out" list (which is would find out about via the admin-url
> > against which to validate a token? Perhaps using timestamps, which
> > presumably is how the token lifespan stuff is checked too?
> >
> >
> >
> > On Fri, Sep 12, 2014 at 5:23 AM, Stian Thorgersen <stian at redhat.com>
> wrote:
> >
> > > Bearer-only applications doesn't manage user sessions, they simply
> > > authenticate based on the token in the request.
> > >
> > > When a user logs out, the applications where a user has directly
> logged in
> > > to (confidential or public) should drop the user session. Confidential
> apps
> > > do this with the request from the server which will in turn invalidate
> the
> > > session in the app. Public apps (using keycloak.js) does this by
> detecting
> > > the logout from the session iframe.
> > >
> > > You should obviously also have a short "Access Token Lifespan"
> configured
> > > for your realm, this makes sure that any tokens are quickly expired
> after a
> > > logout. As the user session is invalidated on the server, any
> associated
> > > refresh tokens will be expired as well, so it won't be possible for an
> app
> > > to retrieve a new token after the user has logged out.
> > >
> > > ----- Original Message -----
> > > > From: "Alarik Myrin" <alarik at zwift.com>
> > > > To: keycloak-user at lists.jboss.org
> > > > Sent: Thursday, 11 September, 2014 8:52:50 PM
> > > > Subject: [keycloak-user] Admin url for bearer-only applications
> > > >
> > > > I am not sure the Admin url is working for bearer-only applications,
> at
> > > least
> > > > not on Wildfly.
> > > >
> > > > I have set the admin url for my bearer-only applications just like I
> do
> > > for
> > > > my confidential applications. In both cases (they are both war file
> > > > deployments running in Wildfly 8.0.0 Final) it is the context-root
> of the
> > > > war file. When I log out the sessions from the keycloak admin
> console,
> > > the
> > > > confidential applications hear about the logout, and will respond
> with a
> > > > redirect, but the bearer-only reply with the protected resource
> instead
> > > of
> > > > responding with a 401 like I would expect.
> > > >
> > > > Is anyone else having trouble with this? There are no bearer-only
> > > resources
> > > > in the preconfigured-demo realm file to check against...
> > > >
> > > > BTW, I just verified that this was happening with Keycloak 1.0-final.
> > > >
> > > > Thanks,
> > > >
> > > > Alarik
> > > >
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140912/cf83fc82/attachment.html
More information about the keycloak-user
mailing list