Re: [keycloak-user] API not protected immediately after logout
Shouldn't this be a task for the JavaScript adapter, i.e., the logout
method should not perform this automatically for us?
It seems to me that tokens clearing should be transparent to the app
user, because if tokens are implicitly created on the login procedure,
they should also be implicitly cleared on the logout.
On 20-03-2018 20:43, Stian Thorgersen wrote:
Unless the service calls the token introspection endpoint it
won't
know that the access token has expired until it actually expires. That
is the cause of the slight delay from logout. The app should really
clear the tokens after logout.
On 20 March 2018 at 20:07, José Miguel Gonçalves
<jose.goncalves(a)inov.pt <mailto:jose.goncalves@inov.pt>> wrote:
Hi,
To test a scenario of a Node.js RESTfull service secured by Keycloak
(3.4.3.Final), I've setup a Node.js server and a HTML5 client using
example code from https://github.com/keycloak/keycloak-quickstarts
<https://github.com/keycloak/keycloak-quickstarts>
('service-nodejs' and 'app-jee-html5').
While everything seems fine at first glance, there is an issue after I
logout on the app.
After logging out, I see that I continue to have access to the
protected
endpoints for some short time (about 1 minute after logout).
Am I missing some configuration or is this a bug on Keycloak?
Regards,
José Gonçalves