[keycloak-user] Keycloak logout not working for “bearer-only” application exposing REST services

Dan Nemes dan.nemes at ymail.com
Sun Jan 21 04:17:38 EST 2018 

Hello,
I am unable to logout an user. The logout works for a "confidential" applications but it doesn't for a "bearer-only" application (the REST services are still accessible after logout).
I have the following configuration:
   
   - I have one "database" client application defined in Keycloak having access type "bearer-only" (created with the intent of exposing REST web services protected by Keycloak based on user roles)
   - I have one "rest_service" client application defined in keycloak having access type "confidential" (created with the intent of logging in users and allowing access to the "bearer-only" REST services after a successful login). The below described workflow is implemented in this application using REST web services
I am performing the following steps:   
   - An http GET request is performed on URL http://localhost:8180/auth/realms/demo/protocol/openid-connect/auth which redirects the user to the login page handled by Keycloak
   - The user performs the login using his credentials (using the credentials of a user defined in Keycloak)
   - Keycloak redirects the user to the "redirect_uri" which was passed in step 1. In this step Keycloak also provides as request parameters the "state" and "code" values.
   - After the user has been redirected back to the application I exchange the "code" received in step 3 for a token doing a POST request on http://localhost:8180/auth/realms/demo/protocol/openid-connect/token which is done successfully
   - After the access token is available I proceed to access the "bearer-only" REST web services.
note: the REST web services exposed by the "bearer-only" service are not accessible unless the user has been logged in and it has the correct "role" assigned to it.Problem: As stated at the start of the post the user is still able to access the "bearer-only" REST web services after the logout has been done. The only thing that seems to work is the logout from the "confidential" application (the user is not able to access the application unless he logs in again).If I perform the logout of the user then the REST web services exposed by the bearer-only application are still accessible. In the Keycloak server I get the following WARN message: " Some clients have been not been logged out for user adminuser in demo realm: rest_service"I tried implementing the logout in three ways:   
   - A redirect to URL http://localhost:8180/auth/realms/demo/protocol/openid-connect/logoutpassing in the redirect_uri and client_id parameters
   - A POST request to http://localhost:8180/auth/realms/demo/protocol/openid-connect/logoutpassing in the Authorization Bearer in the header and the client_id, refresh_token, client_secret and redirect_uri
   - A REST service exposed by the "bearer-only" service which does the following method call: HttpServletRequest request.logout()
Neither of the above methods is working.PS: I did not want to go in to many details because even so the post is long enough. If I missed something please tell me and I will provide the additional information (if possible I can also attach the actual projects)
Thank you,Dan Nemes

|  | Virus-free. www.avg.com  |

More information about the keycloak-user mailing list