[keycloak-user] Logout with openid-connect is not invalidating the session cookie.

Sean Schade sean.schade at drillinginfo.com
Wed Sep 21 20:01:01 EDT 2016 

Do I need to use the Keycloak JS adapter in our Angular app in order to get
logout to work correctly? I thought we would be fine with just the
openid-connect logout url. It looks like the adapter clears the token in
the browser.

https://github.com/keycloak/keycloak/tree/master/adapters/oidc/js/src/main/resources


On Wed, Sep 21, 2016 at 2:08 PM, Sean Schade <sean.schade at drillinginfo.com>
wrote:

> Thanks Scott for replying. We don't use an adapter. We have an Angular app
> that makes HTTP calls to backend services. All of our services are behind a
> Keycloak Security Proxy.
>
> We are migrating away from Oracle OAM to Keycloak, and with Oracle
> navigating to the logout link was sufficient. I assumed the same would be
> for Keycloak.
>
> I initially thought this might be the bug: https://issues.jboss.org/
> browse/KEYCLOAK-3311
>
> However, after looking at the logs in Keycloak when I click the Logout
> button in our app I see the following errors.
>
> 18:55:10,630 WARN  [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-
> 11) RESTEASY002130: Failed to parse request.: javax.ws.rs.core.
> UriBuilderException: RESTEASY003330: Failed to create URI: null
>
>
>    1. Caused by: javax.ws.rs.core.UriBuilderException: RESTEASY003280:
>    empty host name
>    2.         at org.jboss.resteasy.specimpl.ResteasyUriBuilder
>    .buildString(ResteasyUriBuilder.java:540)
>    3.         at org.jboss.resteasy.specimpl.ResteasyUriBuilder.
>    buildFromValues(ResteasyUriBuilder.java:743)
>
>
> Perhaps it is a combination of the Keycloak Security Proxy and some
> misconfiguration? I'm not really sure at this moment.
>
> Is my assumption correct that we do not need an adapter for oidc logout?
>
> On Wed, Sep 21, 2016 at 1:29 PM, Scott Rossillo <srossillo at smartling.com>
> wrote:
>
>> Which adapter are you using?
>>
>> Scott Rossillo
>> Smartling | Senior Software Engineer
>> srossillo at smartling.com
>>
>> On Sep 21, 2016, at 2:03 PM, Sean Schade <sean.schade at drillinginfo.com>
>> wrote:
>>
>> We are having an issue where our browser application will initiate a
>> logout, but after redirecting back to the application the user is not taken
>> to the login screen. It appears the user is still logged in, and can fully
>> access the application. I can see the session removed in Keycloak Admin UI.
>> However, it appears the cookie never gets invalidated. Here is the redirect
>> URL we use. Are we missing some configuration step in the client? I have
>> standard flow, implicit flow, and direct access grants enabled. Valid
>> redirect URIs, Base URL, and web origins are all configured in the client.
>> Admin URL is not set as we are relying only on browser logout.
>>
>> https://auth.dev.drillinginfo.com/auth/realms/dev/protocol/openid-connect/logout?redirect_uri=https%3A%2F%2Fapp.dev.drillinginfo.com/gallery/
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160921/59b96a92/attachment.html

More information about the keycloak-user mailing list