<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I think this is a bug. We probably don't refresh the token that is
obtained by the "child" IDP.<br>
<br>
<a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/KEYCLOAK-2691">https://issues.jboss.org/browse/KEYCLOAK-2691</a><br>
<br>
<div class="moz-cite-prefix">On 3/20/2016 10:58 AM, Xiao Ma wrote:<br>
</div>
<blockquote
cite="mid:CABOwsGRefj6PX+9SerJJ-fyxfvGfaR0CgyrpsckPyeCkUYiERQ@mail.gmail.com"
type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>
<p>I configured a OIDC identity provider by<font
color="#333333"> s</font>electing the <code class=""
style="font-size:0.9em;font-family:courrier,monospace;white-space:nowrap">OpenID
Connect v1.0</code> identity provider from the drop-down
box on the top right corner of the identity providers table
in Keycloak's Admin Console. During the configuration
process, I also configure "Logout Url" for the IDP logout
url. </p>
<p>
</p>
<p class=""><span class="">When I try to logout to the
external IDP, the browser is redirected to the external
IDP to perform the logout. I can see some URL as follows:</span></p>
<p class=""><span class=""><a class="moz-txt-link-freetext" href="https://">https://</a><b><a
moz-do-not-send="true"
href="http://keycloakdev.xxxxxxx.com">keycloakdev.xxxxxxx.com</a></b>/auth/realms/<b>Internal</b>/protocol/openid-connect/logout?<b>state=</b>a4efbda0-8b98-4169-a369-59e92bc3fac5&<b>id_token_hint=</b>eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjMDY0NWJmZC0yZDhlLTQ1MjQtOWQ5Mi05OGViMDk5MDgxMzUiLCJleHAiOjE0NTgxNDg1ODksIm5iZiI6MCwiaWF0IjoxNDU4MTQ4NTg4LCJpc3MiOiJodHRwczovL2tleWNsb2FrZGV2Lm1hc2VyZ3kuY29tL2F1dGgvcmVhbG1zL0ludGVybmFsIiwiYXVkIjoiZXh0ZXJuYWxfcmVhbG1fYWNjZXNzXzIiLCJzdWIiOiI2ZmNmMDMwMi1jNzE0LTRiZDUtYjdlZS02MjMyODU2YTBlZWUiLCJ0eXAiOiJJRCIsImF6cCI6ImV4dGVybmFsX3JlYWxtX2FjY2Vzc18yIiwic2Vzc2lvbl9zdGF0ZSI6ImY1MWM3MzFkLTJkZWItNGRhZi04YWM3LTQyZDdkYjc1Zjc5YyIsIm5hbWUiOiJYaWFvIE1hIiwicHJlZmVycmVkX3VzZXJuYW1lIjoieG1hIiwiZ2l2ZW5fbmFtZSI6IlhpYW8iLCJHUk9VUFNfRlJPTV9JTlRFUk5BTF9SRUFMTSI6WyIvTk9DIiwiL2xhbmRzY2FwZV9nZW5lcmFsX3VzZXIiXSwiZmFtaWx5X25hbWUiOiJNYSIsImVtYWlsIjoieGlhby5tYUBtYXNlcmd5LmNvbSJ9.BIneKvUpSPq4c32dV5JclWPjtbA0U55u8Pf_C7KDokNMMBKCERHnzIS8-9csBxh8NLJbB_PmApMY0!
raAz-YPO
cwyvmsOJ23bSrDR3Oa2HZ5JEGzs9IVFyhzQXJuDBCBWcPZl-eNxnxdGkNJBd7Cx03iWsUVUE9NeJYPjeZ5s8rmDtaX38V6JywugWRby5rfSZDLpu7xoGj6a_ZSZEXUfktwCMHS0Jnz_1M778Bmka0TcD1bvIpuqVl4-YQf2P3UZWgxqFQoNDVegZUNuekqUQyJiuRjlQuhITg5tDYfy2DbhkqVsN2gR7mUp21WNx2S5pG5Hb9cXajIVGR6SmW4qKA</span>:</p>
<p class="">"<a moz-do-not-send="true"
href="http://keycloakdev.xxxxxxx.com">keycloakdev.xxxxxxx.com</a>"
is where the externalIDP is located. "Internal" is the name
of the realm. The parameters "state" and "id_token_hint" are
appended to the endpoint logout URL automatically during the
logout process. <br>
</p>
<p class="">However, this process failed because I got
"Session Not Active" error in the UI. After some
investigations, I found this "Session Not Active" error
seems to be related to the value of <font color="#333333"
face="Arial, sans-serif"><span
style="font-size:14px;line-height:20px">Realm Setting
—> Tokens —> Access Token Lifespan I configured.
The default value is 5 minutes, if I trigger the logout
within 5 minutes, I can logout to the external
IDP successfully. If I do the logout after 5 minutes, I
will get this "</span></font>"Session Not Active" error.
Is this the expected behavior? <span
style="font-size:14px;line-height:20px;color:rgb(51,51,51);font-family:Arial,sans-serif"> Do
I have to bump up the value of "</span><span
style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:20px">Access
Token Lifespan" to get a longer session for the logout
purpose? </span></p>
<p class=""><span
style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:20px">Thanks
a lot for the help!</span></p>
<p class=""><span
style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:20px">Xiao</span></p>
<p class=""><span
style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:20px"> </span></p>
<a moz-do-not-send="true" id="d4e2151"
style="color:rgb(51,51,51);font-family:'Lucida
Grande',Geneva,Verdana,Arial,sans-serif;font-size:12px;line-height:18px;text-align:justify">
<div class=""><br>
</div>
</a>
<p class=""><span class=""><br>
</span></p>
<p class=""><span class=""><br>
</span></p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<table summary="Configuration Options"
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;border:1px
solid
rgb(170,170,170);width:659.333px;border-collapse:collapse;background-color:rgb(255,255,255)"
border="1">
<tbody valign="top">
<tr>
<td
style="margin:0px;font-family:arial,sans-serif;border-style:none;padding:0.15em
0.5em" align="left" valign="top"><br>
</td>
</tr>
</tbody>
</table>
<p><br>
</p>
<p><br>
</p>
<table summary="Configuration Options" style="border:1px solid
rgb(170,170,170);width:659.333px;border-collapse:collapse"
border="1">
<tbody valign="top">
<tr>
<td style="border-style:none;padding:0.15em 0.5em"
align="left" valign="top"><br>
</td>
</tr>
</tbody>
</table>
<div><br>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Bill Burke
JBoss, a division of Red Hat
<a class="moz-txt-link-freetext" href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></pre>
</body>
</html>