<div dir="ltr"><div>Thanks Stain.</div><div><br></div>Then what is the purpose of the Admin URL when setting up the bearer-only application in the console? Perhaps it should be removed?<div><br></div><div>Or is there some way that the bearer-only application could still maintain a "has-logged-out" list (which is would find out about via the admin-url against which to validate a token? Perhaps using timestamps, which presumably is how the token lifespan stuff is checked too?</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 12, 2014 at 5:23 AM, Stian Thorgersen <span dir="ltr"><<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Bearer-only applications doesn't manage user sessions, they simply authenticate based on the token in the request.<br>
<br>
When a user logs out, the applications where a user has directly logged in to (confidential or public) should drop the user session. Confidential apps do this with the request from the server which will in turn invalidate the session in the app. Public apps (using keycloak.js) does this by detecting the logout from the session iframe.<br>
<br>
You should obviously also have a short "Access Token Lifespan" configured for your realm, this makes sure that any tokens are quickly expired after a logout. As the user session is invalidated on the server, any associated refresh tokens will be expired as well, so it won't be possible for an app to retrieve a new token after the user has logged out.<br>
<div><div class="h5"><br>
----- Original Message -----<br>
> From: "Alarik Myrin" <<a href="mailto:alarik@zwift.com">alarik@zwift.com</a>><br>
> To: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> Sent: Thursday, 11 September, 2014 8:52:50 PM<br>
> Subject: [keycloak-user] Admin url for bearer-only applications<br>
><br>
> I am not sure the Admin url is working for bearer-only applications, at least<br>
> not on Wildfly.<br>
><br>
> I have set the admin url for my bearer-only applications just like I do for<br>
> my confidential applications. In both cases (they are both war file<br>
> deployments running in Wildfly 8.0.0 Final) it is the context-root of the<br>
> war file. When I log out the sessions from the keycloak admin console, the<br>
> confidential applications hear about the logout, and will respond with a<br>
> redirect, but the bearer-only reply with the protected resource instead of<br>
> responding with a 401 like I would expect.<br>
><br>
> Is anyone else having trouble with this? There are no bearer-only resources<br>
> in the preconfigured-demo realm file to check against...<br>
><br>
> BTW, I just verified that this was happening with Keycloak 1.0-final.<br>
><br>
> Thanks,<br>
><br>
> Alarik<br>
><br>
><br>
</div></div>> _______________________________________________<br>
> keycloak-user mailing list<br>
> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote></div><br></div>