<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    This is fixed in master and will be released with 1.9.2 in 1 or 2
    weeks.<br>
    <br>
    <div class="moz-cite-prefix">On 3/21/2016 11:25 AM, Xiao Ma wrote:<br>
    </div>
    <blockquote
cite="mid:CABOwsGQaPCUWksb4LDWDoHjRg6dZ-5y=jrsJRDpB3So+4i1HqA@mail.gmail.com"
      type="cite">
      <div dir="ltr">Thank you, Bill! I am wondering what is our rough
        estimate on when are going to release 1.9.2.Final. 
        <div><br>
        </div>
        <div>Best Regards,</div>
        <div>Xiao<br>
          <div class="gmail_extra"><br>
            <div class="gmail_quote">On Mon, Mar 21, 2016 at 10:26 AM,
              Bill Burke <span dir="ltr">&lt;<a moz-do-not-send="true"
                  href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>&gt;</span>
              wrote:<br>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
                <div bgcolor="#FFFFFF" text="#000000"> I think this is a
                  bug.  We probably don't refresh the token that is
                  obtained by the "child" IDP.<br>
                  <br>
                  <a moz-do-not-send="true"
                    href="https://issues.jboss.org/browse/KEYCLOAK-2691"
                    target="_blank">https://issues.jboss.org/browse/KEYCLOAK-2691</a><span
                    class=""><br>
                    <br>
                    <div>On 3/20/2016 10:58 AM, Xiao Ma wrote:<br>
                    </div>
                  </span>
                  <blockquote type="cite">
                    <div dir="ltr">Hi, 
                      <div><br>
                      </div>
                      <div><span class="">
                          <p>I configured a OIDC identity provider by<font
                              color="#333333"> s</font>electing the <code
style="font-size:0.9em;font-family:courrier,monospace;white-space:nowrap">OpenID

                              Connect v1.0</code> identity provider from
                            the drop-down box on the top right corner of
                            the identity providers table in Keycloak's
                            Admin Console. During the configuration
                            process, I also configure "Logout Url" for
                            the IDP logout url. </p>
                          <p> </p>
                          <p><span>When I try to logout to the external
                              IDP, the browser is redirected to the
                              external IDP to perform the logout. I can
                              see some URL as follows:</span></p>
                        </span>
                        <p><span><a moz-do-not-send="true">https://</a><b><a
                                moz-do-not-send="true"
                                href="http://keycloakdev.xxxxxxx.com"
                                target="_blank">keycloakdev.xxxxxxx.com</a></b>/auth/realms/<b>Internal</b>/protocol/openid-connect/logout?<b>state=</b>a4efbda0-8b98-4169-a369-59e92bc3fac5&amp;<b>id_token_hint=</b>eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjMDY0NWJmZC0yZDhlLTQ1MjQtOWQ5Mi05OGViMDk5MDgxMzUiLCJleHAiOjE0NTgxNDg1ODksIm5iZiI6MCwiaWF0IjoxNDU4MTQ4NTg4LCJpc3MiOiJodHRwczovL2tleWNsb2FrZGV2Lm1hc2VyZ3kuY29tL2F1dGgvcmVhbG1zL0ludGVybmFsIiwiYXVkIjoiZXh0ZXJuYWxfcmVhbG1fYWNjZXNzXzIiLCJzdWIiOiI2ZmNmMDMwMi1jNzE0LTRiZDUtYjdlZS02MjMyODU2YTBlZWUiLCJ0eXAiOiJJRCIsImF6cCI6ImV4dGVybmFsX3JlYWxtX2FjY2Vzc18yIiwic2Vzc2lvbl9zdGF0ZSI6ImY1MWM3MzFkLTJkZWItNGRhZi04YWM3LTQyZDdkYjc1Zjc5YyIsIm5hbWUiOiJYaWFvIE1hIiwicHJlZmVycmVkX3VzZXJuYW1lIjoieG1hIiwiZ2l2ZW5fbmFtZSI6IlhpYW8iLCJHUk9VUFNfRlJPTV9JTlRFUk5BTF9SRUFMTSI6WyIvTk9DIiwiL2xhbmRzY2FwZV9nZW5lcmFsX3VzZXIiXSwiZmFtaWx5X25hbWUiOiJNYSIsImVtYWlsIjoieGlhby5tYUBtYXNlcmd5LmNvbSJ9.BIneKvUpSPq4c32dV5JclWPjtbA0U55u8Pf_C7KDokNMMBKCERHnzIS8-9csBxh8NLJbB_PmApMY0!

                            raAz-YPO
cwyvmsOJ23bSrDR3Oa2HZ5JEGzs9IVFyhzQXJuDBCBWcPZl-eNxnxdGkNJBd7Cx03iWsUVUE9NeJYPjeZ5s8rmDtaX38V6JywugWRby5rfSZDLpu7xoGj6a_ZSZEXUfktwCMHS0Jnz_1M778Bmka0TcD1bvIpuqVl4-YQf2P3UZWgxqFQoNDVegZUNuekqUQyJiuRjlQuhITg5tDYfy2DbhkqVsN2gR7mUp21WNx2S5pG5Hb9cXajIVGR6SmW4qKA</span>:</p>
                        <span class="">
                          <p>"<a moz-do-not-send="true"
                              href="http://keycloakdev.xxxxxxx.com"
                              target="_blank">keycloakdev.xxxxxxx.com</a>"
                            is where the externalIDP is located.
                            "Internal" is the name of the realm. The
                            parameters "state" and "id_token_hint" are
                            appended to the endpoint logout URL
                            automatically during the logout process.   <br>
                          </p>
                          <p>However, this process failed because I got
                            "Session Not Active" error in the UI. After
                            some investigations, I found this "Session
                            Not Active" error seems to be related to the
                            value of <font color="#333333" face="Arial,
                              sans-serif"><span
                                style="font-size:14px;line-height:20px">Realm
                                Setting —&gt; Tokens —&gt; Access Token
                                Lifespan I configured. The default value
                                is 5 minutes, if I trigger the logout
                                within 5 minutes, I can logout to the
                                external IDP successfully. If I do the
                                logout after 5 minutes, I will get this
                                "</span></font>"Session Not Active"
                            error. Is this the expected behavior? <span
style="font-size:14px;line-height:20px;color:rgb(51,51,51);font-family:Arial,sans-serif"> Do

                              I have to bump up the value of "</span><span
style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:20px">Access

                              Token Lifespan" to get a longer session
                              for the logout purpose? </span></p>
                          <p><span
style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:20px">Thanks

                              a lot for the help!</span></p>
                          <p><span
style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:20px">Xiao</span></p>
                          <p><span
style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:20px"> </span></p>
                          <a moz-do-not-send="true">
                            <div><br>
                            </div>
                          </a>
                          <p><span><br>
                            </span></p>
                          <p><span><br>
                            </span></p>
                          <p><br>
                          </p>
                          <p><br>
                          </p>
                          <p><br>
                          </p>
                          <table summary="Configuration Options"
                            style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;border:1px
                            solid
rgb(170,170,170);width:659.333px;border-collapse:collapse;background-color:rgb(255,255,255)"
                            border="1">
                            <tbody valign="top">
                              <tr>
                                <td
                                  style="margin:0px;font-family:arial,sans-serif;border-style:none;padding:0.15em
                                  0.5em" align="left" valign="top"><br>
                                </td>
                              </tr>
                            </tbody>
                          </table>
                          <p><br>
                          </p>
                          <p><br>
                          </p>
                          <table summary="Configuration Options"
                            style="border:1px solid
                            rgb(170,170,170);width:659.333px;border-collapse:collapse"
                            border="1">
                            <tbody valign="top">
                              <tr>
                                <td
                                  style="border-style:none;padding:0.15em
                                  0.5em" align="left" valign="top"><br>
                                </td>
                              </tr>
                            </tbody>
                          </table>
                          <div><br>
                          </div>
                        </span></div>
                    </div>
                    <br>
                    <fieldset></fieldset>
                    <br>
                    <pre>_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
                    <span class=""><font color="#888888"> </font></span></blockquote>
                  <span class=""><font color="#888888"> <br>
                      <pre cols="72">-- 
Bill Burke
JBoss, a division of Red Hat
<a moz-do-not-send="true" href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a></pre>
                    </font></span></div>
                <br>
                _______________________________________________<br>
                keycloak-user mailing list<br>
                <a moz-do-not-send="true"
                  href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
                <a moz-do-not-send="true"
                  href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
                  rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
              </blockquote>
            </div>
            <br>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Bill Burke
JBoss, a division of Red Hat
<a class="moz-txt-link-freetext" href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></pre>
  </body>
</html>