[keycloak-user] Session Logout with Offline Access Token

Benjamin Zaitlen quasiben at gmail.com
Wed Mar 29 15:13:24 EDT 2017 

Hi Marek,

Thanks for the response.  I am saving the token for APP2.  The behavior I'm
observing is that after the SSO Logout, the offline token access is
revoked, and the previously saved token is no longer value.  Perhaps I'm
doing something incorrectly.  This is also on 2.5.X

--Ben

On Wed, Mar 29, 2017 at 1:28 PM, Marek Posolda <mposolda at redhat.com> wrote:

> On 29/03/17 13:43, Benjamin Zaitlen wrote:
>
>> Any thoughts on this?
>>
>> --Ben
>>
>> On Fri, Mar 24, 2017 at 5:20 PM, Benjamin Zaitlen <quasiben at gmail.com>
>> wrote:
>>
>> Hi All,
>>>
>>> I'm having some trouble with sessions, clients, and offline access
>>> tokens.  Let's say I have a client (APP 1) and I've logged in with
>>> OIDC.  I
>>> now have a refresh_token and session for APP 1. Using the auth code flow
>>> I
>>> can generate an offline_access token (refresh_token) for a second client:
>>> APP 2.   When I look in *realms/myrealm/account/sessions, *I see one
>>> session but two clients.  At first I thought, great!  I was able to get
>>> the
>>> auth code flow working and I generated a refresh token for a second
>>> client.
>>>
>>> But then disaster set in, when I logged out of the APP 1 client with the
>>> URL: *protocol/openid-connect/logout.* I was logged out the session
>>> which
>>> included the* second client* and thus the offline access token for APP 2
>>> was effectively revoked.
>>>
>>> I've seen a handful of JIRAs related to offline access tokens and logouts
>>> but I think they don't quite cover this usecase. I have two questions:
>>>
>>> 1. Is it possible, using the auth code flow, to generate a refresh token
>>> in separate session. That is can APP 1 generate an offline_access token
>>> for
>>> APP 2 in a separate session without re-authenticating?
>>>
>> Once you logged to your APP 2, you have both online session, which is
> part of SSO login (hence you are able to browse APP 2 with your browser)
> and offline session. After login to APP 2, you need to somehow save your
> offline token for later use, which is responsibility of your APP 2.
>
> SSO logout will clear your browser session, but offline token will be
> still valid and can be used for further refreshes. Offline token will also
> survive server restart.
>
> You can take a look at the example in the keycloak-examples distribution
> under "preconfigured-demo/offline-access-app" , which also does logout of
> browser session (or server restart), but offline token is still valid.
>
>>
>>> 2. Can I logout a specific client for a session by passing additional
>>> parameters in the logout URL ?
>>>
>> Nope, Logout is always global SSO logout as it clears the userSession on
> the Keycloak side. Assume that when the "global" userSession is not
> cleared, then the single logged-out client will be still always able to
> login anytime due to SSO session, hence logout would be a bit pointless
> though?
>
> Marek
>
>>
>>> Thanks,
>>> --Ben
>>>
>>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>

More information about the keycloak-user mailing list