[keycloak-user] SAML HttpServletRequest.logout() support

Wed Jul 12 10:29:58 EDT 2017

Hi Mark,
You can see my other thread to Hynek Mlnarik about logout and cookies. It's sort of a JSF issue, I suppose, more than a KC issue. Actually, I'l just copy the email here.
The TLDR; version is : JSF redirect on logout loses cookies, so has to re-auth with KC before logging out. Which means the first logout doesn't 'take'.

Hi Hynek,
My setup is exactly from that tutorial. And I found the problem with logging out, I'm not sure how to report the issue (not sure if it's really a KC issue at all), raise a Jira ticket?

Setup:
JEE app running JSF calling EJBs.
JEE app using wildfly keycloak saml adapters to talk to Keycloak (KC)Keycloak setup to use ADFS as its IdP.

Problem:
JEE app needs to logout twice to logout. (That is, after first logout, you can still hit the protected resource on the JEE app without logging in again)

Cause:
1) first logout:- JSF's redirects (externalContext.redirect(externalContext.getRequestContextPath() + "/?GLO=true" );) removes the jsessionId cookie, which causes an initial auth from JEE to KC when logout is hit. -rest of logout proceeds properly, Realm Session ID is removed from KC, ADFS logs use out.

2) second logout-JSF's redirect again removes the jsessionId cookie, tries to do an initial auth from JEE to KC, but KC doesn't have any sessions to auth user with, and user is kicked out, 'successfully' logging out.

Solution:
preserve the jsessionid on redirect, initial auth to KC doesn't occur on logout.
   public void logout() throws IOException, ServletException
   {
      ExternalContext externalContext = _context.getExternalContext();

      try
      {
         externalContext.invalidateSession();

         _httpRequest.logout();
      }
      catch (Exception ex)
      {
         _logger.error(ex);
      }
      finally
      {
         // need to set the cookie for the jsessionid, or will re-auth with KC, and will require two logouts to logout completely
         preserveJsessionidCookie(externalContext);

         externalContext.redirect(externalContext.getRequestContextPath() + "/?GLO=true" );
      }
   }

   private void preserveJsessionidCookie(ExternalContext externalContext)
   {
      for (Cookie cookie : ((HttpServletRequest)externalContext.getRequest()).getCookies())
      {
         if (cookie.getName().equalsIgnoreCase("jsessionid"))
         {
            ((HttpServletResponse)externalContext.getResponse()).addCookie(cookie);
            break;
         }
      }
   }

Cheers,

Thanks, 
Jason
On Tuesday, July 11, 2017, 11:59:41 PM PDT, Marek Posolda <mposolda at redhat.com> wrote:

You can check our SAML examples in the keycloak-examples distribution. 
They're doing logout.

Marek

On 05/07/17 20:40, Jason Spittel wrote:
> I'm having trouble with SAML Logout.  I have a JEE app that uses Keycloak as an identity broker to ADFS.
> Following these instructions:Logout | Keycloak Documentation
>
>
> |
> |
> |  |
> Logout | Keycloak Documentation
>
>
>  |
>
>  |
>
>  |
>
>
>
> I should be able to just call HttpServletRequest.logout(). But that doesn't do anything.
> Searching Jira I see this a reported issue.
> [KEYCLOAK-2191] SAML HttpServletRequest.logout() support - JBoss Issue Tracker
>
>
> |
> |
> |  |
> [KEYCLOAK-2191] SAML HttpServletRequest.logout() support - JBoss Issue T...
>
>
>  |
>
>  |
>
>  |
>
>
>
> While that's being worked on, are there workarounds to do a SAML logout through Keycloak?
>
> Thanks,
> Jason
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user