Hi folks,

I believe the "RESTEASY003330: Failed to create URI" error was due to the non-URL encoded slashes in the redirect_uri. This has since been corrected.

The behavior Sean and I are seeing is that accessing the app via a Keycloak Proxy continues to work even after the browser makes a request to the OIDC logout endpoint. The keycloak.<clientId>.session cookie remains in the browser. In the Keycloak admin web UI, the session listed under the user is removed upon request to the logout endpoint. Both Keycloak and the Keycloak Proxy are 2.0.0.Final.

Any pointers would be appreciated.

Thanks,
-John Bartko



On Wed, Sep 21, 2016 at 7:01 PM, Sean Schade <sean.schade@drillinginfo.com> wrote:
Do I need to use the Keycloak JS adapter in our Angular app in order to get logout to work correctly? I thought we would be fine with just the openid-connect logout url. It looks like the adapter clears the token in the browser.

https://github.com/keycloak/keycloak/tree/master/adapters/oidc/js/src/main/resources


On Wed, Sep 21, 2016 at 2:08 PM, Sean Schade <sean.schade@drillinginfo.com> wrote:
Thanks Scott for replying. We don't use an adapter. We have an Angular app that makes HTTP calls to backend services. All of our services are behind a Keycloak Security Proxy. 

We are migrating away from Oracle OAM to Keycloak, and with Oracle navigating to the logout link was sufficient. I assumed the same would be for Keycloak. 

I initially thought this might be the bug: https://issues.jboss.org/browse/KEYCLOAK-3311

However, after looking at the logs in Keycloak when I click the Logout button in our app I see the following errors.

18:55:10,630 WARN  [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-11) RESTEASY002130: Failed to parse request.: javax.ws.rs.core.UriBuilderException: RESTEASY003330: Failed to create URI: null

  1. Caused by: javax.ws.rs.core.UriBuilderException: RESTEASY003280: empty host name
  2.         at org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildString(ResteasyUriBuilder.java:540)
  3.         at org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildFromValues(ResteasyUriBuilder.java:743)


Perhaps it is a combination of the Keycloak Security Proxy and some misconfiguration? I'm not really sure at this moment.

Is my assumption correct that we do not need an adapter for oidc logout?


On Wed, Sep 21, 2016 at 1:29 PM, Scott Rossillo <srossillo@smartling.com> wrote:
Which adapter are you using?

Scott Rossillo
Smartling | Senior Software Engineer

On Sep 21, 2016, at 2:03 PM, Sean Schade <sean.schade@drillinginfo.com> wrote:

We are having an issue where our browser application will initiate a logout, but after redirecting back to the application the user is not taken to the login screen. It appears the user is still logged in, and can fully access the application. I can see the session removed in Keycloak Admin UI. However, it appears the cookie never gets invalidated. Here is the redirect URL we use. Are we missing some configuration step in the client? I have standard flow, implicit flow, and direct access grants enabled. Valid redirect URIs, Base URL, and web origins are all configured in the client. Admin URL is not set as we are relying only on browser logout.

 _______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user




_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user