Re: [keycloak-user] Configuring 'LOGOUT' with keycloak-spring-security-adapter.

Hi I have a spring-boot 2 application which I am trying to secure with Keycloak. I have used 'keycloak-spring-security-adapter' and 'keycloak-spring-boot-2-starter' adapters. Following is my security configuration -------- import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver; import org.keycloak.adapters.springsecurity.authentication. KeycloakAuthenticationProvider; import org.keycloak.adapters.springsecurity.config. KeycloakWebSecurityConfigurerAdapter; import org.keycloak.adapters.springsecurity.filter. KeycloakAuthenticatedActionsFilter; import org.keycloak.adapters.springsecurity.filter. KeycloakAuthenticationProcessingFilter; import org.keycloak.adapters.springsecurity.filter. KeycloakPreAuthActionsFilter; import org.keycloak.adapters.springsecurity.filter. KeycloakSecurityContextRequestFilter; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.autoconfigure.condition. ConditionalOnProperty; import org.springframework.boot.web.servlet.FilterRegistrationBean; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation. authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method. configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web. builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration. EnableWebSecurity; import org.springframework.security.core.authority.mapping. SimpleAuthorityMapper; import org.springframework.security.core.session.SessionRegistryImpl; import org.springframework.security.web.authentication.logout. LogoutFilter; import org.springframework.security.web.authentication.preauth. x509.X509AuthenticationFilter; import org.springframework.security.web.authentication.session. RegisterSessionAuthenticationStrategy; import org.springframework.security.web.authentication.session. SessionAuthenticationStrategy; import org.springframework.security.web.csrf.CookieCsrfTokenRepository; @ConditionalOnProperty(value = "keycloak.enabled") @Configuration @EnableWebSecurity public class KeycloakSecurityConfiguration extends KeycloakWebSecurityConfigurerAdapter { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider(); keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper()); auth.authenticationProvider(keycloakAuthenticationProvider); } @Bean public KeycloakSpringBootConfigResolver keycloakConfigResolver() { return new KeycloakSpringBootConfigResolver(); } // Specifies the session authentication strategy @Bean @Override protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl()); } @Override protected void configure(HttpSecurity http) throws Exception { super.configure(http); http .addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class) .addFilterBefore(keycloakAuthenticationProcessingFilter(), X509AuthenticationFilter.class) .exceptionHandling().authenticationEntryPoint( authenticationEntryPoint()) .and() .authorizeRequests() .antMatchers("/**").hasRole("superuser") .anyRequest().permitAll(); } @Bean public FilterRegistrationBean keycloakAuthenticationProcessingFilterRegistrationBean( KeycloakAuthenticationProcessingFilter filter) { FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter); registrationBean.setEnabled(false); return registrationBean; } @Bean public FilterRegistrationBean keycloakPreAuthActionsFilterRe gistrationBean( KeycloakPreAuthActionsFilter filter) { FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter); registrationBean.setEnabled(false); return registrationBean; } @Bean public FilterRegistrationBean keycloakAuthenticatedActionsFilterBean( KeycloakAuthenticatedActionsFilter filter) { FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter); registrationBean.setEnabled(false); return registrationBean; } @Bean public FilterRegistrationBean keycloakSecurityContextRequest FilterBean( KeycloakSecurityContextRequestFilter filter) { FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter); registrationBean.setEnabled(false); return registrationBean; } } -------- Following are the keycloak properties from application.properties -------- keycloak.enabled=true keycloak.auth-server-url=http://localhost:8180/auth keycloak.realm=MyRealm keycloak.resource=my-app keycloak.public-client=true keycloak.security-constraints[0].authRoles[0]=superuser keycloak.security-constraints[0].securityCollections[0].patterns[0]=/* -------- I am successfully able to login via Keycloak and serve my app. But I am stucked for logout. I believe that as we already use keycloak spring security adapter, any custom logout handler should not be required. Here is an excerpt from a html page which handles logout ---------- <form action="/logout" method="post"> <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/> <input type="submit" value="Logout"> </form> ---------- This does not work and on hitting 'Logout' button , it posts request to ' http://localhost:8080/logout' (my app runs on 8080) and returns 403. Kindly guide me through the logout process. Thanks Saloni Udani _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user