[keycloak-user] Session Logout with Offline Access Token
Marek Posolda
mposolda at redhat.com
Wed Mar 29 15:50:05 EDT 2017
Do you have a chance to try the example I pointed and see if it works as
expected?
Marek
On 29/03/17 21:13, Benjamin Zaitlen wrote:
> Hi Marek,
>
> Thanks for the response. I am saving the token for APP2. The behavior
> I'm observing is that after the SSO Logout, the offline token access
> is revoked, and the previously saved token is no longer value.
> Perhaps I'm doing something incorrectly. This is also on 2.5.X
>
> --Ben
>
> On Wed, Mar 29, 2017 at 1:28 PM, Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>> wrote:
>
> On 29/03/17 13:43, Benjamin Zaitlen wrote:
>
> Any thoughts on this?
>
> --Ben
>
> On Fri, Mar 24, 2017 at 5:20 PM, Benjamin Zaitlen
> <quasiben at gmail.com <mailto:quasiben at gmail.com>>
> wrote:
>
> Hi All,
>
> I'm having some trouble with sessions, clients, and
> offline access
> tokens. Let's say I have a client (APP 1) and I've logged
> in with OIDC. I
> now have a refresh_token and session for APP 1. Using the
> auth code flow I
> can generate an offline_access token (refresh_token) for a
> second client:
> APP 2. When I look in *realms/myrealm/account/sessions,
> *I see one
> session but two clients. At first I thought, great! I was
> able to get the
> auth code flow working and I generated a refresh token for
> a second client.
>
> But then disaster set in, when I logged out of the APP 1
> client with the
> URL: *protocol/openid-connect/logout.* I was logged out
> the session which
> included the* second client* and thus the offline access
> token for APP 2
> was effectively revoked.
>
> I've seen a handful of JIRAs related to offline access
> tokens and logouts
> but I think they don't quite cover this usecase. I have
> two questions:
>
> 1. Is it possible, using the auth code flow, to generate a
> refresh token
> in separate session. That is can APP 1 generate an
> offline_access token for
> APP 2 in a separate session without re-authenticating?
>
> Once you logged to your APP 2, you have both online session, which
> is part of SSO login (hence you are able to browse APP 2 with your
> browser) and offline session. After login to APP 2, you need to
> somehow save your offline token for later use, which is
> responsibility of your APP 2.
>
> SSO logout will clear your browser session, but offline token will
> be still valid and can be used for further refreshes. Offline
> token will also survive server restart.
>
> You can take a look at the example in the keycloak-examples
> distribution under "preconfigured-demo/offline-access-app" , which
> also does logout of browser session (or server restart), but
> offline token is still valid.
>
>
> 2. Can I logout a specific client for a session by passing
> additional
> parameters in the logout URL ?
>
> Nope, Logout is always global SSO logout as it clears the
> userSession on the Keycloak side. Assume that when the "global"
> userSession is not cleared, then the single logged-out client will
> be still always able to login anytime due to SSO session, hence
> logout would be a bit pointless though?
>
> Marek
>
>
> Thanks,
> --Ben
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>
More information about the keycloak-user
mailing list