[keycloak-user] User sessions not ending upon automatic logout

Bill Burke bburke at redhat.com
Sat Jun 3 10:18:37 EDT 2017 

The admin console should not be logging you out if your logged in user 
doesn't have permission to access it.  Are you sure it is logging you 
out and not just displaying an error page?  The behavior you specify 
sounds correct as we do not initiate an SSO logout if a user fails 
authorization for one application

On 6/2/17 5:27 PM, Kyle Swensson wrote:
> Hello,
>
>
> I am having an issue with refresh tokens while using keycloak with the
> Tomcat adapter. I'm using Keycloak 2.3.0 and Tomcat 7
>
> The issue arises when I authenticate with keycloak as a basic user using
> tomcat. When this happens a session is started for my basic user, which I
> believe means that I am given a refresh token. Then, I navigate to the
> Keycloak Admin Console page on a different window. Since I am authenticated
> as a basic user, since Keycloak uses SSO it will try to automatically log
> my current user into the Admin Console, but it will fail since my basic
> user is not configured to be able to use the admin console. After it fails,
> Keycloak "logs out" my current user because I don't have permissions to
> access the admin console.
>
> The problem is that this "logout" that Keycloak just did doesn't end the
> basic user's session for some reason, and thus it doesn't invalidate their
> refresh token. This is a problem because it means that if I go back to my
> basic user's application, even though keycloak supposedly logged me out, I
> can still use the refresh token to get more access tokens for the
> application, and thus continue using the application as normal even though
> I'm not technically logged in. Worse still, the logout functionality ceases
> to work because since Keycloak thinks my user isn't logged in, telling
> Keycloak to log my user out doesn't work. This makes it so that the only
> way to actually invalidate my current refresh token is by going to "My
> Account" as the basic user, and ending all current sessions for them.
>
> It's worth noting that this *only *happens when the basic user is
> automatically logged out when Keycloak tries to sign it in to the admin
> console automatically. For example, if I have the admin console window open
> before I log my basic user in, and then while I am logged in with my basic
> user I log in normally to the admin console with a different user, Keycloak
> will successfully log out my basic user and end their session, invalidating
> their refresh token, like it should.
>
>
> I'm wondering if this is an actual bug with Keycloak, or if this is just
> being caused by some user error on my side, because I can't really figure
> out a workaround for this issue. One potential workaround that I have found
> is enabling "Revoke Refresh Token" in the "Tokens" tab of the "Realm
> Settings" section of the Keycloak admin console, however this is making my
> application run quite strangely, and I'm not certain why.
>
> If upgrading to Keycloak 3.0 would fix the problem I can do that, however
> it will likely be a fair bit of work so I don't really want to upgrade
> unless I'm certain it will fix the problem.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list