[keycloak-user] How to logout

Ryan Slominski ryans at jlab.org
Tue Aug 14 11:07:23 EDT 2018 

Hi Stan,
  I'm not sure if it is an issue or just the way it is supposed to work.  Again, HttpServletRequest.logout() does work when the servlet container itself believes a user is logged in.  The case in which it appears to be a no-op is when the servlet container is not aware of any login.  This might be okay?  Not sure?   The problem is that a user can be logged into Keycloak, but not logged into the servlet container.  In this case how do I log the user out?  Perhaps I should use the alternative method, the URL: https://authserver/auth/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri?  However, having a logout anchor (link) that navigates to that URL does not destroy the Keycloak login.  Perhaps I need to add some authentication header, bearer token, or something else along with the GET HTTP request?  Watching the network requests using the developer console of a web browser I see that even after the logout request to Keycloak if I attempt a login immediately after I see the KC_RESTART cookie is used (so a token must still exist?) and I am logged in automatically without being prompted for username or password - so... the logout URL didn't seem to work.

Thanks,

Ryan

----- Original Message -----
From: "Stan Silvert" <ssilvert at redhat.com>
To: "keycloak-user" <keycloak-user at lists.jboss.org>
Sent: Monday, August 13, 2018 7:15:15 PM
Subject: Re: [keycloak-user] How to logout

HttpServletRequest.logout() should not be a no-op.  It was implemented a 
long time ago:
https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D478&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=S5OUPSD_8iiVarBP9JPCB6Uhz5n56mXIMUwl5oCahwE&e= 

If there is an issue with it you should report it in JIRA.

Stan

On 8/13/2018 4:19 PM, Ryan Slominski wrote:
> Hi Keycloak Users,
>
> I'm using the Wildfly client adapter and trying to logout of Keycloak, even if a client application container doesn't think it is logged in.  This is a problem because login state with Keycloak and login state with JSESSION_ID in servlet container are two separate things that can get out-of-sync.  The documentation says you can logout in one of two ways:
>
> 1. Call HttpServletRequest.logout()
> 2. Navigate to URL https://urldefense.proofpoint.com/v2/url?u=http-3A__auth-2Dserver_auth_realms_&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=_59Wic6w6LhkACOwcCwlGFp0s-px_5ETP9toZFHnPrc&e= {realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri
>
> See: https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_securing-5Fapps_index.html-23logout&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=eo8LPXrVvTI2IYhZ6JScwrbjMxBD8R_SuATg2KkMD10&e= 
>
> The first appears to be a no-op because the Java container itself isn't logged in, in this case.  This does work if the client container is aware that it is logged in, but doesn't otherwise.  The second also doesn't seem to do anything and just redirects back to redirect_uri.  Any tips?
>
> A forceful logout is useful in the scenario when one client (client A) logs into Keycloak, and a different client (cilent B) wants to forcefully logout as to switch users.  In this scenario client B doesn't think it is logged in because the client adapter is using container managed security with JSESSIONID, and locally the client isn't logged in.  However if a login was attempted it would succeed automatically without prompting for a username and password and therefore the user wouldn't get a chance to provide an alternate username.  A switch user ability is useful when users need to login with separate admin credentials or also in scenarios where a user says "move over and I'll drive" to a colleague.
>
> Thanks,
>
> Ryan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=FbEV2k4Er-KnjVX6ZK9kCS8XTIqDuF6Oc7LdvEa8TlQ&e= 


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=FbEV2k4Er-KnjVX6ZK9kCS8XTIqDuF6Oc7LdvEa8TlQ&e=

More information about the keycloak-user mailing list