<div dir="ltr">OK, thanks for the clarification.</div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 12, 2014 at 7:12 AM, Stian Thorgersen <span dir="ltr"><<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">The admin URL is also used for other things as well, one which can be useful for bearer-only applications is pushing a not-before time (effectively invalidating any tokens generated prior to a specified time).<br>
<span class="im HOEnZb"><br>
----- Original Message -----<br>
> From: "Alarik Myrin" <<a href="mailto:alarik@zwift.com">alarik@zwift.com</a>><br>
</span><div class="HOEnZb"><div class="h5">> To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> Cc: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> Sent: Friday, 12 September, 2014 1:04:39 PM<br>
> Subject: Re: [keycloak-user] Admin url for bearer-only applications<br>
><br>
> Thanks Stain.<br>
><br>
> Then what is the purpose of the Admin URL when setting up the bearer-only<br>
> application in the console? Perhaps it should be removed?<br>
><br>
> Or is there some way that the bearer-only application could still maintain<br>
> a "has-logged-out" list (which is would find out about via the admin-url<br>
> against which to validate a token? Perhaps using timestamps, which<br>
> presumably is how the token lifespan stuff is checked too?<br>
><br>
><br>
><br>
> On Fri, Sep 12, 2014 at 5:23 AM, Stian Thorgersen <<a href="mailto:stian@redhat.com">stian@redhat.com</a>> wrote:<br>
><br>
> > Bearer-only applications doesn't manage user sessions, they simply<br>
> > authenticate based on the token in the request.<br>
> ><br>
> > When a user logs out, the applications where a user has directly logged in<br>
> > to (confidential or public) should drop the user session. Confidential apps<br>
> > do this with the request from the server which will in turn invalidate the<br>
> > session in the app. Public apps (using keycloak.js) does this by detecting<br>
> > the logout from the session iframe.<br>
> ><br>
> > You should obviously also have a short "Access Token Lifespan" configured<br>
> > for your realm, this makes sure that any tokens are quickly expired after a<br>
> > logout. As the user session is invalidated on the server, any associated<br>
> > refresh tokens will be expired as well, so it won't be possible for an app<br>
> > to retrieve a new token after the user has logged out.<br>
> ><br>
> > ----- Original Message -----<br>
> > > From: "Alarik Myrin" <<a href="mailto:alarik@zwift.com">alarik@zwift.com</a>><br>
> > > To: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > Sent: Thursday, 11 September, 2014 8:52:50 PM<br>
> > > Subject: [keycloak-user] Admin url for bearer-only applications<br>
> > ><br>
> > > I am not sure the Admin url is working for bearer-only applications, at<br>
> > least<br>
> > > not on Wildfly.<br>
> > ><br>
> > > I have set the admin url for my bearer-only applications just like I do<br>
> > for<br>
> > > my confidential applications. In both cases (they are both war file<br>
> > > deployments running in Wildfly 8.0.0 Final) it is the context-root of the<br>
> > > war file. When I log out the sessions from the keycloak admin console,<br>
> > the<br>
> > > confidential applications hear about the logout, and will respond with a<br>
> > > redirect, but the bearer-only reply with the protected resource instead<br>
> > of<br>
> > > responding with a 401 like I would expect.<br>
> > ><br>
> > > Is anyone else having trouble with this? There are no bearer-only<br>
> > resources<br>
> > > in the preconfigured-demo realm file to check against...<br>
> > ><br>
> > > BTW, I just verified that this was happening with Keycloak 1.0-final.<br>
> > ><br>
> > > Thanks,<br>
> > ><br>
> > > Alarik<br>
> > ><br>
> > ><br>
> > > _______________________________________________<br>
> > > keycloak-user mailing list<br>
> > > <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
> ><br>
><br>
</div></div></blockquote></div><br></div>