[keycloak-user] User session logout in Keycloak Console seems not to work if using User Federation Provider
Juan Pablo Perata
jpperata at gmail.com
Fri Feb 23 08:08:28 EST 2018
I found that I needed to configure Admin URL for client for logout through
admin console to poperly work.
It was really usefull an answer of Stian Torgersen made on another thread
about logout on bearer and non-bearer clients.
Regards,
Juan
On Thu, Feb 1, 2018 at 10:29 AM Juan Pablo Perata <jpperata at gmail.com>
wrote:
> To add something else:
>
> I discovered I was changing JSESSIONID after successfull login in a
> callback servlet. I removed that because Keycloak itself is invalidating
> old session and assigning a new id.
>
> Otherwise, for my surprise after logout session from keycloak admin
> console, session remains active and I am still logged in application.
>
> Any tip is appreciated.
> Regards,
> Juan
>
>
> On Wed, Jan 31, 2018 at 12:20 PM Juan Pablo Perata <jpperata at gmail.com>
> wrote:
>
>> Hello,
>>
>> This issue seems application specific, but I could not reach to the root
>> yet.
>>
>> I would like to know if someone faced this in Keycloak Admin Console or
>> some tips you could give me to see what is going on.
>>
>> *Environment*
>> Web application running on Wildfly 10.1.0.Final and secured with Keycloak.
>> Keycloak 3.4.3.Final server running in <IP>:<PORT1>
>> Wildfly 10.1.0.Final server running in <IP>:<PORT2>
>> *Description*
>> Found that session logout from Keycloak admin does not have effect for
>> federated users in my web application.
>> Steps:
>> - develop your own user federation provider to connect to internal
>> database (implements interfaces _UserStorageProvider,
>> CredentialInputValidator, UserLookupProvider, OnUserCache_)
>> - properly configured user federation provider in keycloak realm
>> - configure and deploy a JSF based web OIDC client application in Wildfly
>> secured by Keycloak
>> - Go to: _<IP>:<PORT2>/<web-application_uri>_ and authenticate using
>> federation provider
>> Authentication succeeded
>> - Go to Keycloak Console -> Realm -> Sessions -> (select web application
>> client) -> Show sessions. Then select <user-authenticated> from displayed
>> table -> "Sessions" tab
>> - Click "Logout all sessions" or "Logout" the specific session. A success
>> message is displayed and session disappears from table.
>> - Go to _<IP>:<PORT2>/<web-application_uri>_ and check that session is
>> still alive and user is authenticated.
>> - Checked in a Filter in web application that
>> "org.keycloak.KeycloakSecurityContext" security context is present with
>> information from logged in user.
>>
>> *To note:*
>> - (correct behaviour) If logout is performed from web application, single
>> sign on session is logged out properly (HttpRequest.logout()).
>> - (correct behaviour) Tested behaviour with [product-portal sample |
>> https://github.com/keycloak/keycloak/tree/master/examples/demo-template/product-app]
>> application and *it works ok as expected*.
>> Tested with users loaded in "demo" json and also using my own user
>> federation provider and works well.
>>
>> Thanks in advance,
>> Juan
>>
>
More information about the keycloak-user
mailing list