[keycloak-user] Issue with logout.
Marek Posolda
mposolda at redhat.com
Wed Feb 24 07:31:15 EST 2016
On 24/02/16 12:45, Satyajit Das wrote:
> Hi Marek,
>
> We cant have access token so short lived because users can login and
> do operations and can stay logged in for some time.
In that case, you can do refreshing tokens after some period. Basically
before you send request to REST service, you will check if your
accessToken is still valid (you can parse it and see expiration period).
If it is outdated, you will send request to Keycloak to refresh the
access token. That's how our adapters work. If you use adapter, you can
be logged to application for a long time even if accessToken lifespan is
just 1 minute.
If you really can't rely on short access token, there is possibility
that your REST service will always send request to Keycloak to
doublecheck if access token is still valid. We have support for Token
introspection ( https://tools.ietf.org/html/rfc7662 ). The endpoint
should be under
http://localhost:8080/auth/realms/YourREALMName/protocol/openid-connect/token/introspect
. Note that this has performance impact as REST service will always need
to contact Keycloak to doublecheck token.
Marek
>
> What we are relying is that once the logout url is called using
> refresh token id. The user when tries to access a webservice using the
> token should not be allowed to as the logout service has been called.
>
> But the user can get the data, using the old token. Any suggesstion
> how to stop this behaiviour.
>
> Regards,
> Satya.
>
>
>
> On Wed, Feb 24, 2016 at 4:39 PM, Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>> wrote:
>
> On 24/02/16 10:58, Satyajit Das wrote:
>> Hi Team we are facing the below issue with logout.
>>
>> i use login/logout restful service:
>>
>> after login
>> i get tokenid say "t1" and refreshtokenid say "rt1"
>>
>> 1) We have registered a webservice as a keycloak client (example
>> demo123) with access type as bearer.
>> 2) When I call the logout rest service:
>>
>> if (isPublic()) { // if client is public access type
>> formparams.add(new BasicNameValuePair(OAuth2Constants.CLIENT_ID,
>> "demo123")); }
>>
>> URI logoutUri = KeycloakUriBuilder.fromUri(getBaseUrl(request) +
>> "/auth") .path(ServiceUrlConstants.TOKEN_SERVICE_LOGOUT_PATH)
>> .build("RealmName");
>>
>> the logout gives 204 for client's access type as open.
>>
>> but when i again hit the service with the token id "t1" after logout.
>> Still i can get the response. *Note this response doesnt hit
>> keycloak*.
> Yes, it works this way and that's why we suggest to use short
> lifetimes for accessToken (1 minute). This means that access token
> needs to be refreshed every 1 minute and the request for
> refreshing token actually needs to hit Keycloak server (in your
> case, refresh won't success because you already did logout).
>
> Marek
>>
>> Regards,
>> Satya
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160224/8a2d3def/attachment.html
More information about the keycloak-user
mailing list