[keycloak-user] How explicitly enable session management in Keycloak?
Known Michael
known.michael at gmail.com
Wed Mar 15 02:52:02 EDT 2017
Can anybody help?
Do we have bug in 2.5.4?
On Sun, Mar 12, 2017 at 11:56 AM, Known Michael <known.michael at gmail.com>
wrote:
> Stian,
>
> I have upgraded to Keycloak 2.5.4 but unfortunately I still have the
> problem.
>
> I see in mod_auth_openidc logs the following:
>
>
>
> [Sun Mar 12 11:40:24 2017] [debug] src/mod_auth_openidc.c(1556): [client
> clientIP] oidc_save_in_session: session management disabled: session_state
> ((null)) and/or check_session_iframe (https://localhost/auth/
> realms/comp-realm/protocol/openid-connect/login-status-iframe.html) is
> not provided, referer: https://server_ip/auth/realms/
> comp-realm/protocol/openid-connect/auth?response_type=
> code&scope=openid&client_id=httpd_server_ip&state=
> 8DpklUhcfpymZa89Dj0s7KNG9Xo&redirect_uri=https%3A%2F%
> 2Fserver_ip%2Fprotected%2Fredirect_uri&nonce=
> YxVGddiIoSvZtfxftxgKUQzZICfDsU1x7T5hCLhPpPk
>
>
>
> On Mon, Feb 6, 2017 at 9:33 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> It was fixed as part of https://issues.jboss.org/browse/KEYCLOAK-4338.
>>
>> On 3 February 2017 at 17:37, Known Michael <known.michael at gmail.com>
>> wrote:
>>
>>> Stian,
>>> Do you have open issues?
>>>
>>>
>>> On Fri, Feb 3, 2017 at 10:47 AM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> There's some fixes to the RP iframe coming in 2.5.4 which will be out
>>>> in a week or two. There was an issue with it expecting a "session_state"
>>>> value that wasn't equal to the value from the tokens.
>>>>
>>>> You can try building master if you'd like to try it out in advance.
>>>>
>>>> On 1 February 2017 at 16:59, Known Michael <known.michael at gmail.com>
>>>> wrote:
>>>>
>>>>> Hey,
>>>>>
>>>>> I use mod_auth_openidc version "2.1.2", Keycloak version “2.4.0”
>>>>>
>>>>> I was not able to implement the session management using OP and RP
>>>>> frames
>>>>> as described here:
>>>>>
>>>>> https://github.com/pingidentity/mod_auth_openidc/wiki/Sessio
>>>>> n-Management
>>>>>
>>>>> I see in mod_auth_openidc logs the following:
>>>>>
>>>>> [Wed Feb 01 14:12:54 2017] [debug] src/mod_auth_openidc.c(1556):
>>>>> [client
>>>>> 192.168.111.33] oidc_save_in_session: session management disabled:
>>>>> session_state ((null)) and/or check_session_iframe (
>>>>> https://localhost/auth/realms/realm/protocol/openid-connect/
>>>>> login-status-iframe.html)
>>>>> is not provided, referer:
>>>>> https://192.168.110.2/auth/realms/realm/protocol/openid-conn
>>>>> ect/auth?response_type=code&scope=openid&client_id=httpd_192
>>>>> .168.110.2&state=i1YQ39FbBLSCTRyIgEN-F9CdDH4&redirect_uri=ht
>>>>> tps%3A%2F%2F192.168.110.2%2Fprotected%2Fredirect_uri&nonce=0
>>>>> VJ7AO-QBaxVaUBL9goen7muN4Oka1dP_1iPEQ43o-M
>>>>>
>>>>> It looks like the session management is disabled because the Provider
>>>>> did
>>>>> not return a session_state parameter in the authentication response
>>>>> (which
>>>>> in its turn can be verified via the referer URL in the same log entry)
>>>>> as
>>>>> the spec dictates:
>>>>> https://openid.net/specs/openid-connect-session-1_0.html#Cre
>>>>> atingUpdatingSessions
>>>>>
>>>>> How should I configure explicitly enable session management in
>>>>> Keycloak?
>>>>> It should starts returning session_state in the authentication
>>>>> responses.
>>>>>
>>>>> I see that it is implemented already
>>>>> https://issues.jboss.org/browse/KEYCLOAK-451 but probably I miss
>>>>> something.
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>>
>>
>
More information about the keycloak-user
mailing list