[keycloak-user] Having difficulty logging out in a 2 client scenario

Chris Savory chris.savory at edlogics.com
Fri Nov 4 02:16:20 EDT 2016


Currently it is both services and a web app.  It’s a monolith in its current state.  We have plans to break apart the API services at some point, but that is in the future. 

Christopher Savory
Software Engineer | EdLogics

From: Stian Thorgersen <sthorger at redhat.com>
Reply-To: "stian at redhat.com" <stian at redhat.com>
Date: Friday, November 4, 2016 at 12:18 AM
To: Chris Savory <chris.savory at edlogics.com>
Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>, Danilo Bonilla <danilo.bonilla at edlogics.com>, David Hartfield <david.hartfield at edlogics.com>, Ali Elhajj <ali.elhajj at edlogics.com>
Subject: Re: [keycloak-user] Having difficulty logging out in a 2 client scenario

Sounds like the Spring Security Adapter is services and not a web app? If so it shouldn't deal with logins and logouts at all. It should be configured as a bearer-only client.

On 1 November 2016 at 00:11, Chris Savory <chris.savory at edlogics.com> wrote:
Our application has 2 clients:
1. A Confidential Client that uses the Spring Security Adapter
2. A Public Client that uses the JavaScript Adapter for an Angular SPA app.

Everything between the two is working fine until I try to logout under certain conditions.

Logout works fine if I first: deep link into a protected page in my app.  The SpringSecurity adapter for client# 1 redirects me to Keycloak. Keycloack then logs me in and sends me back to my app where my token was issued for client #1.  If I logout under this scenario via the SpringSecurity adapter it works fine.

In Scenario #2 I first hit an Angular page in my app.  Then I log in from the JS Adapter in client #2.  Then through a Rest call to my Spring App (which a Bearer token is passed) a java session is established on Tomcat.  When I put some break points in the Keycloak Adapter classes I can see that the KeycloakToken only contains the token in this scenario, but not the refresh token.  I can also see that the token was issued for client #2.  When I try to logout, the adapter sends a request to Keycloak with an empty refresh_token and keycloak returns a 400 error, thus nullifying the logout.

I also tried another scenario where use the JS Adapter get the logout URL and logout directly to Keycloak via “window.location = keycloak.createLogoutUrl({ redirectUri: “/site-url”) }).  This actually logs out the user from all clients (which is what I want), but the problem here is on the next request to the Spring app I think there is still an HttpSession alive and I’m running into the check in SpringSecurityTokenStore.saveAccountInfo where it throws an exception because there is already an (old) token inside the SecurityContextHolder.

Any advice on how to proceed from either of these two scenarios?

Christopher Savory
Software Engineer | EdLogics

keycloak-user mailing list
keycloak-user at lists.jboss.org

More information about the keycloak-user mailing list