Sounds like you have two separate applications? If so they'll have separate cookies, sessions, etc.. and would have to be logged-out separately. Not quite sure where you're getting '/logout' from either.

To logout you should use HttpServletRequest.logout which will redirect to Keycloak to properly do the logout. This will logout the application that the user initiated the logout from, as well as send a backchannel request to other applications to log them out.

On 23 June 2016 at 04:06, Sarp Kaya <akaya@expedia.com> wrote:

According to this code:

https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/CookieTokenStore.java#L100

The cookie is only reset at the place where the logout path is. For instance:

Applications serve at /foo/app and /bar/app

And logout path is just /logout

In that case that won’t work because cookiePath for removeCookie would be /logout.

The problem is the user is still logged in within the period of Access Token Lifespan.

It doesn’t make sense to have different logout URL for each application as such /bar/logout and /foo/logout .

Is there a way to just keep single logout which logs out the user for each application?

Thanks,

Sarp Kaya

_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user