Hi Hynek,
My setup is exactly from that tutorial. And I found the problem with logging out, I'm
not sure how to report the issue (not sure if it's really a KC issue at all), raise a
Jira ticket?
Setup:JEE app running JSF calling EJBs.JEE app using wildfly keycloak saml adapters to
talk to Keycloak (KC)Keycloak setup to use ADFS as its IdP.
Problem:JEE app needs to logout twice to logout. (That is, after first logout, you can
still hit the protected resource on the JEE app without logging in again)
Cause:1) first logout:- JSF's redirects
(externalContext.redirect(externalContext.getRequestContextPath() + "/?GLO=true"
);) removes the jsessionId cookie, which causes an initial auth from JEE to KC when logout
is hit. -rest of logout proceeds properly, Realm Session ID is removed from KC, ADFS logs
use out.2) second logout-JSF's redirect again removes the jsessionId cookie, tries to
do an initial auth from JEE to KC, but KC doesn't have any sessions to auth user with,
and user is kicked out, 'successfully' logging out.
Solution:preserve the jsessionid on redirect, initial auth to KC doesn't occur on
logout.
public void logout() throws IOException, ServletException
{
ExternalContext externalContext = _context.getExternalContext();
try
{
externalContext.invalidateSession();
_httpRequest.logout();
}
catch (Exception ex)
{
_logger.error(ex);
}
finally
{
// need to set the cookie for the jsessionid, or will re-auth with KC, and will
require two logouts to logout completely
preserveJsessionidCookie(externalContext);
externalContext.redirect(externalContext.getRequestContextPath() +
"/?GLO=true" );
}
}
private void preserveJsessionidCookie(ExternalContext externalContext)
{
for (Cookie cookie :
((HttpServletRequest)externalContext.getRequest()).getCookies())
{
if (cookie.getName().equalsIgnoreCase("jsessionid"))
{
((HttpServletResponse)externalContext.getResponse()).addCookie(cookie);
break;
}
}
}
Cheers,
JasonOn Monday, July 10, 2017, 6:09:36 AM PDT, Hynek Mlnarik <hmlnarik(a)redhat.com>
wrote:
How are ADFS and Keycloak configured? If according to [1], the
sessions should be cleared. Beware that ADFS also leaves ssoCookie in
the browser so that it might just relogin the user behind the scenes,
see discussion on [2] for further details.
--Hynek
[1]
http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html
[2]
https://issues.jboss.org/browse/KEYCLOAK-4398
On Tue, Jul 4, 2017 at 11:51 PM, Jason Spittel <jasonspittel(a)yahoo.com> wrote:
Apparently my formatting was lost. So I'm reposting this in a
more readable format:
Hello,
I'm having difficulty completing a logout.
SETUP:
JEE webapp to keycloak to IdP (ADFS (SAML))
WORKFLOW:
1) On logout in the webapp
externalContext.redirect(externalContext.getRequestContextPath() +
"?GLO=true");
2) User is sent to ADFS letting them know they have successfully logged out.
3) However, there is still a keycloak user session alive (seen in the admin console)
4) Hitting a protected resource in the webapp lets user in without having to log back
in.
Debugging the keycloak server, I found this bit of code in
AuthenticationManager.browserLogout() line 262:
String brokerId = userSession.getNote(Details.IDENTITY_PROVIDER);
if (brokerId != null) {
IdentityProvider identityProvider = IdentityBrokerService.getIdentityProvider(session,
realm, brokerId);
Response response = identityProvider.keycloakInitiatedBrowserLogout(session,
userSession, uriInfo, realm);
if (response != null) return response;
}
return finishBrowserLogout(session, realm, userSession, uriInfo, connection, headers);
I think, unless I'm misunderstanding it, that I need to hit the finishBrowserLogout
method, to clear the keycloak user session.
But the way this is written makes it so it never will. Is keycloak expecting ADFS to
clear its user session? Am I logging out incorrectly?
Thanks,
Jason
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
--Hynek