<div dir="ltr">We also have a handful of non-JS and legacy applications which exhibit the same behavior. If a user session is logged out in the KC admin web interface, shouldn&#39;t the security proxy stop serving the protected app?<div><br></div><div>I&#39;ve listed example security proxy and client configs below if that helps any.</div><div><br></div><div>Security proxy config:</div><div><br></div><div><br></div><div><font face="monospace, monospace"><br></font></div><div><div><font face="monospace, monospace">{</font></div><div><font face="monospace, monospace">  &quot;header-names&quot;: {</font></div><div><font face="monospace, monospace">    &quot;keycloak-username&quot;: &quot;X-UserName&quot;</font></div><div><font face="monospace, monospace">  },</font></div><div><font face="monospace, monospace">  &quot;applications&quot;: [</font></div><div><font face="monospace, monospace">    {</font></div><div><font face="monospace, monospace">      &quot;constraints&quot;: [</font></div><div><font face="monospace, monospace">        {</font></div><div><font face="monospace, monospace">          &quot;authenticate&quot;: true,</font></div><div><font face="monospace, monospace">          &quot;pattern&quot;: &quot;/&quot;</font></div><div><font face="monospace, monospace">        }</font></div><div><font face="monospace, monospace">      ],</font></div><div><font face="monospace, monospace">      &quot;adapter-config&quot;: {</font></div><div><font face="monospace, monospace">        &quot;realm&quot;: &quot;dev&quot;,</font></div><div><font face="monospace, monospace">        &quot;realm-public-key&quot;: &quot;MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4...&quot;,</font></div><div><font face="monospace, monospace">        &quot;auth-server-url&quot;: &quot;<a href="https://auth.dev.example.org/auth">https://auth.dev.example.org/auth</a>&quot;,</font></div><div><font face="monospace, monospace">        &quot;resource&quot;: &quot;<a href="http://fooapp.example.org">fooapp.example.org</a>&quot;,</font></div><div><font face="monospace, monospace">        &quot;public-client&quot;: true</font></div><div><font face="monospace, monospace">      },</font></div><div><font face="monospace, monospace">      &quot;base-path&quot;: &quot;/&quot;</font></div><div><font face="monospace, monospace">    }</font></div><div><font face="monospace, monospace">  ],</font></div><div><font face="monospace, monospace">  &quot;http-port&quot;: &quot;8107&quot;,</font></div><div><font face="monospace, monospace">  &quot;bind-address&quot;: &quot;0.0.0.0&quot;,</font></div><div><font face="monospace, monospace">  &quot;send-access-token&quot;: true,</font></div><div><font face="monospace, monospace">  &quot;target-url&quot;: &quot;<a href="http://naked-fooapp.example.org">http://naked-fooapp.example.org</a>&quot;</font></div><div><font face="monospace, monospace">}</font></div></div><div><br></div><div><br></div><div><br></div><div>Corresponding Keycloak client config:</div><div><br></div><div><br></div><div><font face="monospace, monospace"><br></font></div><div><div><font face="monospace, monospace">{</font></div><div><font face="monospace, monospace">  &quot;webOrigins&quot;: [</font></div><div><font face="monospace, monospace">    &quot;<a href="http://fooapp.example.org">http://fooapp.example.org</a>&quot;,</font></div><div><font face="monospace, monospace">    &quot;<a href="https://fooapp.example.org">https://fooapp.example.org</a>&quot;</font></div><div><font face="monospace, monospace">  ],</font></div><div><font face="monospace, monospace">  &quot;useTemplateScope&quot;: false,</font></div><div><font face="monospace, monospace">  &quot;useTemplateMappers&quot;: false,</font></div><div><font face="monospace, monospace">  &quot;useTemplateConfig&quot;: false,</font></div><div><font face="monospace, monospace">  &quot;surrogateAuthRequired&quot;: false,</font></div><div><font face="monospace, monospace">  &quot;standardFlowEnabled&quot;: true,</font></div><div><font face="monospace, monospace">  &quot;serviceAccountsEnabled&quot;: false,</font></div><div><font face="monospace, monospace">  &quot;rootUrl&quot;: &quot;&quot;,</font></div><div><font face="monospace, monospace">  &quot;redirectUris&quot;: [</font></div><div><font face="monospace, monospace">    &quot;<a href="https://fooapp.example.org/*">https://fooapp.example.org/*</a>&quot;,</font></div><div><font face="monospace, monospace">    &quot;<a href="http://fooapp.example.org/*">http://fooapp.example.org/*</a>&quot;</font></div><div><font face="monospace, monospace">  ],</font></div><div><font face="monospace, monospace">  &quot;publicClient&quot;: true,</font></div><div><font face="monospace, monospace">  &quot;enabled&quot;: true,</font></div><div><font face="monospace, monospace">  &quot;directAccessGrantsEnabled&quot;: true,</font></div><div><font face="monospace, monospace">  &quot;consentRequired&quot;: false,</font></div><div><font face="monospace, monospace">  &quot;clientId&quot;: &quot;<a href="http://fooapp.example.org">fooapp.example.org</a>&quot;,</font></div><div><font face="monospace, monospace">  &quot;clientAuthenticatorType&quot;: &quot;client-secret&quot;,</font></div><div><font face="monospace, monospace">  &quot;bearerOnly&quot;: false,</font></div><div><font face="monospace, monospace">  &quot;baseUrl&quot;: &quot;<a href="http://fooapp.example.org/">http://fooapp.example.org/</a>&quot;,</font></div><div><font face="monospace, monospace">  &quot;attributes&quot;: {</font></div><div><font face="monospace, monospace">    &quot;saml_force_name_id_format&quot;: &quot;false&quot;,</font></div><div><font face="monospace, monospace">    &quot;saml.server.signature&quot;: &quot;false&quot;,</font></div><div><font face="monospace, monospace">    &quot;saml.multivalued.roles&quot;: &quot;false&quot;,</font></div><div><font face="monospace, monospace">    &quot;saml.force.post.binding&quot;: &quot;false&quot;,</font></div><div><font face="monospace, monospace">    &quot;saml.encrypt&quot;: &quot;false&quot;,</font></div><div><font face="monospace, monospace">    &quot;saml.client.signature&quot;: &quot;false&quot;,</font></div><div><font face="monospace, monospace">    &quot;saml.authnstatement&quot;: &quot;false&quot;,</font></div><div><font face="monospace, monospace">    &quot;saml.assertion.signature&quot;: &quot;false&quot;</font></div><div><font face="monospace, monospace">  },</font></div><div><font face="monospace, monospace">  &quot;frontchannelLogout&quot;: false,</font></div><div><font face="monospace, monospace">  &quot;fullScopeAllowed&quot;: true,</font></div><div><font face="monospace, monospace">  &quot;implicitFlowEnabled&quot;: false,</font></div><div><font face="monospace, monospace">  &quot;nodeReRegistrationTimeout&quot;: -1,</font></div><div><font face="monospace, monospace">  &quot;notBefore&quot;: 0,</font></div><div><font face="monospace, monospace">  &quot;protocol&quot;: &quot;openid-connect&quot;,</font></div><div><font face="monospace, monospace">  &quot;protocolMappers&quot;: [</font></div><div><font face="monospace, monospace">    {</font></div><div><font face="monospace, monospace">      &quot;protocolMapper&quot;: &quot;saml-role-list-mapper&quot;,</font></div><div><font face="monospace, monospace">      &quot;protocol&quot;: &quot;saml&quot;,</font></div><div><font face="monospace, monospace">      &quot;name&quot;: &quot;role list&quot;,</font></div><div><font face="monospace, monospace">      &quot;consentRequired&quot;: false,</font></div><div><font face="monospace, monospace">      &quot;config&quot;: {</font></div><div><font face="monospace, monospace">        &quot;single&quot;: &quot;false&quot;,</font></div><div><font face="monospace, monospace">        &quot;attribute.nameformat&quot;: &quot;Basic&quot;,</font></div><div><font face="monospace, monospace">        &quot;<a href="http://attribute.name">attribute.name</a>&quot;: &quot;Role&quot;</font></div><div><font face="monospace, monospace">      }</font></div><div><font face="monospace, monospace">    },</font></div><div><font face="monospace, monospace">    {</font></div><div><font face="monospace, monospace">      &quot;protocolMapper&quot;: &quot;oidc-usermodel-property-mapper&quot;,</font></div><div><font face="monospace, monospace">      &quot;protocol&quot;: &quot;openid-connect&quot;,</font></div><div><font face="monospace, monospace">      &quot;name&quot;: &quot;given name&quot;,</font></div><div><font face="monospace, monospace">      &quot;consentText&quot;: &quot;${givenName}&quot;,</font></div><div><font face="monospace, monospace">      &quot;consentRequired&quot;: true,</font></div><div><font face="monospace, monospace">      &quot;config&quot;: {</font></div><div><font face="monospace, monospace">        &quot;user.attribute&quot;: &quot;firstName&quot;,</font></div><div><font face="monospace, monospace">        &quot;jsonType.label&quot;: &quot;String&quot;,</font></div><div><font face="monospace, monospace">        &quot;id.token.claim&quot;: &quot;true&quot;,</font></div><div><font face="monospace, monospace">        &quot;<a href="http://claim.name">claim.name</a>&quot;: &quot;given_name&quot;,</font></div><div><font face="monospace, monospace">        &quot;access.token.claim&quot;: &quot;true&quot;</font></div><div><font face="monospace, monospace">      }</font></div><div><font face="monospace, monospace">    },</font></div><div><font face="monospace, monospace">    {</font></div><div><font face="monospace, monospace">      &quot;protocolMapper&quot;: &quot;oidc-usermodel-property-mapper&quot;,</font></div><div><font face="monospace, monospace">      &quot;protocol&quot;: &quot;openid-connect&quot;,</font></div><div><font face="monospace, monospace">      &quot;name&quot;: &quot;username&quot;,</font></div><div><font face="monospace, monospace">      &quot;consentText&quot;: &quot;${username}&quot;,</font></div><div><font face="monospace, monospace">      &quot;consentRequired&quot;: true,</font></div><div><font face="monospace, monospace">      &quot;config&quot;: {</font></div><div><font face="monospace, monospace">        &quot;user.attribute&quot;: &quot;username&quot;,</font></div><div><font face="monospace, monospace">        &quot;jsonType.label&quot;: &quot;String&quot;,</font></div><div><font face="monospace, monospace">        &quot;id.token.claim&quot;: &quot;true&quot;,</font></div><div><font face="monospace, monospace">        &quot;<a href="http://claim.name">claim.name</a>&quot;: &quot;preferred_username&quot;,</font></div><div><font face="monospace, monospace">        &quot;access.token.claim&quot;: &quot;true&quot;</font></div><div><font face="monospace, monospace">      }</font></div><div><font face="monospace, monospace">    },</font></div><div><font face="monospace, monospace">    {</font></div><div><font face="monospace, monospace">      &quot;protocolMapper&quot;: &quot;oidc-usermodel-property-mapper&quot;,</font></div><div><font face="monospace, monospace">      &quot;protocol&quot;: &quot;openid-connect&quot;,</font></div><div><font face="monospace, monospace">      &quot;name&quot;: &quot;family name&quot;,</font></div><div><font face="monospace, monospace">      &quot;consentText&quot;: &quot;${familyName}&quot;,</font></div><div><font face="monospace, monospace">      &quot;consentRequired&quot;: true,</font></div><div><font face="monospace, monospace">      &quot;config&quot;: {</font></div><div><font face="monospace, monospace">        &quot;user.attribute&quot;: &quot;lastName&quot;,</font></div><div><font face="monospace, monospace">        &quot;jsonType.label&quot;: &quot;String&quot;,</font></div><div><font face="monospace, monospace">        &quot;id.token.claim&quot;: &quot;true&quot;,</font></div><div><font face="monospace, monospace">        &quot;<a href="http://claim.name">claim.name</a>&quot;: &quot;family_name&quot;,</font></div><div><font face="monospace, monospace">        &quot;access.token.claim&quot;: &quot;true&quot;</font></div><div><font face="monospace, monospace">      }</font></div><div><font face="monospace, monospace">    },</font></div><div><font face="monospace, monospace">    {</font></div><div><font face="monospace, monospace">      &quot;protocolMapper&quot;: &quot;oidc-usermodel-property-mapper&quot;,</font></div><div><font face="monospace, monospace">      &quot;protocol&quot;: &quot;openid-connect&quot;,</font></div><div><font face="monospace, monospace">      &quot;name&quot;: &quot;email&quot;,</font></div><div><font face="monospace, monospace">      &quot;consentText&quot;: &quot;${email}&quot;,</font></div><div><font face="monospace, monospace">      &quot;consentRequired&quot;: true,</font></div><div><font face="monospace, monospace">      &quot;config&quot;: {</font></div><div><font face="monospace, monospace">        &quot;user.attribute&quot;: &quot;email&quot;,</font></div><div><font face="monospace, monospace">        &quot;jsonType.label&quot;: &quot;String&quot;,</font></div><div><font face="monospace, monospace">        &quot;id.token.claim&quot;: &quot;true&quot;,</font></div><div><font face="monospace, monospace">        &quot;<a href="http://claim.name">claim.name</a>&quot;: &quot;email&quot;,</font></div><div><font face="monospace, monospace">        &quot;access.token.claim&quot;: &quot;true&quot;</font></div><div><font face="monospace, monospace">      }</font></div><div><font face="monospace, monospace">    },</font></div><div><font face="monospace, monospace">    {</font></div><div><font face="monospace, monospace">      &quot;protocolMapper&quot;: &quot;oidc-full-name-mapper&quot;,</font></div><div><font face="monospace, monospace">      &quot;protocol&quot;: &quot;openid-connect&quot;,</font></div><div><font face="monospace, monospace">      &quot;name&quot;: &quot;full name&quot;,</font></div><div><font face="monospace, monospace">      &quot;consentText&quot;: &quot;${fullName}&quot;,</font></div><div><font face="monospace, monospace">      &quot;consentRequired&quot;: true,</font></div><div><font face="monospace, monospace">      &quot;config&quot;: {</font></div><div><font face="monospace, monospace">        &quot;id.token.claim&quot;: &quot;true&quot;,</font></div><div><font face="monospace, monospace">        &quot;access.token.claim&quot;: &quot;true&quot;</font></div><div><font face="monospace, monospace">      }</font></div><div><font face="monospace, monospace">    }</font></div><div><font face="monospace, monospace">  ]</font></div><div><font face="monospace, monospace">}</font></div></div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 26, 2016 at 9:53 AM, Marek Posolda <span dir="ltr">&lt;<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <div>It&#39;s strongly recommended to use our
      keycloak.js adapter. It doesn&#39;t use cookies to maintain state. See
      our examples for it in the example distribution. <br>
      <br>
      If you handle things manually, you need to care about various
      things (like refreshes etc) and for logout, you of course need to
      care of manually removing all the OAuth related state from your
      application and possibly remove cookies (if your application is
      using them).<span class="HOEnZb"><font color="#888888"><br>
      <br>
      Marek</font></span><div><div class="h5"><br>
      <br>
      <br>
      On 22/09/16 02:01, Sean Schade wrote:<br>
    </div></div></div><div><div class="h5">
    <blockquote type="cite">
      <div dir="ltr">Do I need to use the Keycloak JS adapter in our
        Angular app in order to get logout to work correctly? I thought
        we would be fine with just the openid-connect logout url. It
        looks like the adapter clears the token in the browser.
        <div><br>
        </div>
        <div><a href="https://github.com/keycloak/keycloak/tree/master/adapters/oidc/js/src/main/resources" target="_blank">https://github.com/keycloak/<wbr>keycloak/tree/master/adapters/<wbr>oidc/js/src/main/resources</a><br>
        </div>
        <div><br>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Wed, Sep 21, 2016 at 2:08 PM, Sean
          Schade <span dir="ltr">&lt;<a href="mailto:sean.schade@drillinginfo.com" target="_blank">sean.schade@drillinginfo.com</a>&gt;</span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="ltr">Thanks Scott for replying. We don&#39;t use an
              adapter. We have an Angular app that makes HTTP calls to
              backend services. All of our services are behind a
              Keycloak Security Proxy. 
              <div><br>
              </div>
              <div>We are migrating away from Oracle OAM to Keycloak,
                and with Oracle navigating to the logout link was
                sufficient. I assumed the same would be for Keycloak. </div>
              <div><br>
              </div>
              <div>I initially thought this might be the bug: <a href="https://issues.jboss.org/browse/KEYCLOAK-3311" target="_blank">https://issues.jboss.org/<wbr>browse/KEYCLOAK-3311</a></div>
              <div><br>
              </div>
              <div>However, after looking at the logs in Keycloak when I
                click the Logout button in our app I see the following
                errors.</div>
              <div><br>
              </div>
              <div>
                <p><span>18</span><span>:</span><span>55</span><span>:</span><span>10</span><span>,</span><span>630</span><span>
                    WARN  [org.jboss.resteasy.resteasy_j<wbr>axrs.i18n]
                    (</span><span>default</span><span> task-</span><span>11</span><span>)
                    RESTEASY002130: </span><span>Failed</span><span> to
                    parse request.: javax.ws.rs.core.</span><span>UriBuilderExc<wbr>eption</span><span>:
                    RESTEASY003330: </span><span>Failed</span><span> to
                    create URI: </span><span>null</span></p>
                <p><span>
                  </span></p>
                <ol>
                  <li><span></span><span>Caused</span><span> </span><span>by</span><span>:
                      javax.ws.rs.core.</span><span>UriBuilderExc<wbr>eption</span><span>:
                      RESTEASY003280: empty host name</span></li>
                  <li><span></span><span>        at
                      org.jboss.resteasy.specimpl.</span><span>Re<wbr>steasyUriBuilder</span><span>.buildString(</span><span>R<wbr>esteasyUriBuilder</span><span>.java:</span><span>540</span><span>)</span></li>
                  <li><span></span><span>        at
                      org.jboss.resteasy.specimpl.</span><span>Re<wbr>steasyUriBuilder</span><span>.buildFromValu<wbr>es(</span><span>ResteasyUriBuilder</span><span>.java:</span><span>743</span><span><wbr>)</span></li>
                </ol>
                <p><span><br>
                  </span></p>
                <p><span>Perhaps it is a combination of the Keycloak
                    Security Proxy and some misconfiguration? I&#39;m not
                    really sure at this moment.</span></p>
                <p>Is my assumption correct that we do not need an
                  adapter for oidc logout?</p>
              </div>
            </div>
            <div>
              <div>
                <div class="gmail_extra"><br>
                  <div class="gmail_quote">On Wed, Sep 21, 2016 at 1:29
                    PM, Scott Rossillo <span dir="ltr">&lt;<a href="mailto:srossillo@smartling.com" target="_blank">srossillo@smartling.com</a>&gt;</span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div style="word-wrap:break-word">Which adapter
                        are you using?
                        <div><br>
                          <div>
                            <div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
                              <div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">Scott
                                Rossillo</div>
                              <div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">Smartling
                                | Senior Software Engineer</div>
                              <div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><a href="mailto:srossillo@smartling.com" target="_blank">srossillo@smartling.com</a></div>
                              <div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"></div>
                            </div>
                          </div>
                          <br>
                          <div>
                            <blockquote type="cite"><span>
                                <div>On Sep 21, 2016, at 2:03 PM, Sean
                                  Schade &lt;<a href="mailto:sean.schade@drillinginfo.com" target="_blank">sean.schade@drillinginfo.com</a>&gt;
                                  wrote:</div>
                                <br>
                              </span>
                              <div><span>
                                  <div dir="ltr">We are having an issue
                                    where our browser application will
                                    initiate a logout, but after
                                    redirecting back to the application
                                    the user is not taken to the login
                                    screen. It appears the user is still
                                    logged in, and can fully access the
                                    application. I can see the session
                                    removed in Keycloak Admin UI.
                                    However, it appears the cookie never
                                    gets invalidated. Here is the
                                    redirect URL we use. Are we missing
                                    some configuration step in the
                                    client? I have standard flow,
                                    implicit flow, and direct access
                                    grants enabled. Valid redirect URIs,
                                    Base URL, and web origins are all
                                    configured in the client. Admin URL
                                    is not set as we are relying only on
                                    browser logout.<br>
                                    <div><br>
                                    </div>
                                    <div>
                                      <pre style="font-family:consolas,&quot;liberation mono&quot;,courier,monospace;font-size:12px;margin-top:0px;margin-bottom:0px;color:rgb(51,51,51);line-height:18px"><div style="padding-left:10px;min-height:18px"><span style="color:rgb(221,17,68)"><a href="https://auth.dev.drillinginfo.com/auth/realms/dev/protocol/openid-connect/logout?redirect_uri=https%3A%2F%2Fapp.dev.drillinginfo.com/gallery/" target="_blank">https://auth.dev.drillinginfo.<wbr>com/auth/realms/dev/protocol/o<wbr>penid-connect/logout?redirect_<wbr>uri=https%3A%2F%2Fapp.dev.dril<wbr>linginfo.com/gallery/</a></span></div></pre></div></div></span>
______________________________<wbr>_________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-user</a></div></blockquote></div>
</div></div></blockquote></div>
</div>
</div></div></blockquote></div>
</div>


<fieldset></fieldset>
<pre>______________________________<wbr>_________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-user</a></pre>

</blockquote><p>
</p></div></div></div><br>______________________________<wbr>_________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>