Hi,
Which version of Keycloak are you using ? Which adapters are you using for
the client and bearer-only apps ? We need this info. And yes sharing your
project (through github for instance) could be really helpful.
On Sun, Jan 21, 2018 at 10:17 AM, Dan Nemes <dan.nemes(a)ymail.com> wrote:
Hello,
I am unable to logout an user. The logout works for a "confidential"
applications but it doesn't for a "bearer-only" application (the REST
services are still accessible after logout).
I have the following configuration:
- I have one "database" client application defined in Keycloak having
access type "bearer-only" (created with the intent of exposing REST web
services protected by Keycloak based on user roles)
- I have one "rest_service" client application defined in keycloak
having access type "confidential" (created with the intent of logging in
users and allowing access to the "bearer-only" REST services after a
successful login). The below described workflow is implemented in this
application using REST web services
I am performing the following steps:
- An http GET request is performed on URL
http://localhost:8180/
auth/realms/demo/protocol/openid-connect/auth which redirects the user to
the login page handled by Keycloak
- The user performs the login using his credentials (using the
credentials of a user defined in Keycloak)
- Keycloak redirects the user to the "redirect_uri" which was passed in
step 1. In this step Keycloak also provides as request parameters the
"state" and "code" values.
- After the user has been redirected back to the application I exchange
the "code" received in step 3 for a token doing a POST request on
http://localhost:8180/auth/realms/demo/protocol/openid-connect/token which
is done successfully
- After the access token is available I proceed to access the
"bearer-only" REST web services.
note: the REST web services exposed by the "bearer-only" service are not
accessible unless the user has been logged in and it has the correct "role"
assigned to it.Problem: As stated at the start of the post the user is
still able to access the "bearer-only" REST web services after the logout
has been done. The only thing that seems to work is the logout from the
"confidential" application (the user is not able to access the application
unless he logs in again).If I perform the logout of the user then the REST
web services exposed by the bearer-only application are still accessible.
In the Keycloak server I get the following WARN message: " Some clients
have been not been logged out for user adminuser in demo realm:
rest_service"I tried implementing the logout in three ways:
- A redirect to URL
http://localhost:8180/auth/realms/demo/protocol/
openid-connect/logoutpassing in the redirect_uri and client_id parameters
- A POST request to
http://localhost:8180/auth/
realms/demo/protocol/openid-connect/logoutpassing in the Authorization
Bearer in the header and the client_id, refresh_token, client_secret and
redirect_uri
- A REST service exposed by the "bearer-only" service which does the
following method call: HttpServletRequest request.logout()
Neither of the above methods is working.PS: I did not want to go in to
many details because even so the post is long enough. If I missed something
please tell me and I will provide the additional information (if possible I
can also attach the actual projects)
Thank you,Dan Nemes
| | Virus-free.
www.avg.com |
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user