[keycloak-user] keycloak does not send backchannel logout requests to Admin URL
mn at fstrk.io
mn at fstrk.io
Mon Nov 11 23:03:54 EST 2019
Oh, so Spring Security adapter is not part of Keycloak, it is just used
to interact with it from the calling application! This I understand.
In this case however, I don't understand why the adapter matters. Isn't
the adapter's job over after the session is authenticated? What is
special about redirecting to /authorize and then POSTing to /token with
Spring Security adapter compared to other languages/frameworks?
11.11.19 23:06, Leonid Rozenblyum пишет:
> Well since Spring Security adapter is used inside Java client software
> to secure communication with Keycloak, and you're developing your
> software in Python - it seems to be another problem...
>
> According to the docs:
>
>
> *Admin URL*
> For _Keycloak specific_ client adapters, this is the callback endpoint
> for the client. The Keycloak server will use this URI to make
> callbacks like pushing revocation policies, performing backchannel
> logout, and other administrative operations. For Keycloak servlet
> adapters, this can be the root URL of the servlet application. For
> more information see Securing Applications and Services Guide.
>
> It looks like Python OIDC library is not keycloak-specific, so Admin
> URL is NOT an option to set up backchannel logout.
>
> On Mon, Nov 11, 2019 at 9:41 PM mn at fstrk.io <mailto:mn at fstrk.io>
> <mn at fstrk.io <mailto:mn at fstrk.io>> wrote:
>
> I would love to try it, but I am a Python guy and I am not sure
> how to figure out Keycloak internals :) is there anyway you can
> point me to look for the instructions on how to do it?
>
>
>
> 11.11.19 22:27, Leonid Rozenblyum пишет:
>> Ok, I see.
>> But do you use Spring Security adapter in your application?
>> If yes, a workaround for KEYCLOAK-10266
>> <https://issues.jboss.org/browse/KEYCLOAK-10266> is possible even
>> before 8.0.0 release.
>>
>> On Mon, Nov 11, 2019 at 6:48 PM mn at fstrk.io <mailto:mn at fstrk.io>
>> <mn at fstrk.io <mailto:mn at fstrk.io>> wrote:
>>
>> I am using the Docker version, and 8.0.0 has not been
>> released in Docker yet:
>> https://hub.docker.com/r/jboss/keycloak/tags
>>
>> so I guess the only option for me is wait for the 8.0.0
>> Docker release then.
>>
>>
>> 11.11.19 17:56, Leonid Rozenblyum пишет:
>>> Hi. What adapter are you using?
>>> Spring Security adapter had a bug which was recently fixed
>>> and the fix should be part of 8.0.0
>>> https://issues.jboss.org/browse/KEYCLOAK-10266
>>>
>>> On Mon, Nov 11, 2019 at 6:14 AM mn at fstrk.io
>>> <mailto:mn at fstrk.io> <mn at fstrk.io <mailto:mn at fstrk.io>> wrote:
>>>
>>> I created a client in Keycloak and set up a test admin URL
>>> https://webhook.site/12c50381-0814-441a-82bb-1a68c8366a60
>>> (this is a
>>> webhook testing site).
>>>
>>> After that, I performed an OpenID login via this client,
>>> and then sent a
>>> logout request to Keycloak.
>>>
>>>
>>> I did this a couple of times, and tried two ways of
>>> logging a user out:
>>>
>>> - redirecting to
>>> http://.../auth/realms/myrealm/protocol/openid-connect/logout
>>>
>>> <http://127.0.0.1:8080/auth/realms/myrealm/protocol/openid-connect/logout>
>>>
>>> - force logging out of the user via Keycloak admin
>>> interface:
>>> http://prntscr.com/pv1v76
>>>
>>> The user indeed gets logged out. However, in both of
>>> these cases I don't
>>> see any requests coming out from Keycloak. The testing
>>> website shows
>>> zero registered requests.
>>>
>>>
>>> How do I make this work?
>>>
>>>
>>>
>>>
>>> --
>>> Mikhail Novikov
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> <mailto:keycloak-user at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>> --
>> Михаил Новиков
>> Ведущий разработчик
>> fstrk.io <http://fstrk.io>
>>
>
> --
> Михаил Новиков
> Ведущий разработчик
> fstrk.io <http://fstrk.io>
>
--
Михаил Новиков
Ведущий разработчик
fstrk.io
More information about the keycloak-user
mailing list