1:19 p.m.
Hello,
Thank you for your quick response.
I am using keycloak-3.4.0 and wildfly-10.1.0.Final.I have just added on github the
projects I have created for working with keycloak. You can find them
here: https://github.com/NemesDan/keycloak
Please note that these projects have been started as a POC of how keycloak can be used so
there are other functions that are out of the scope of the problem I'm having. I am
still in the learning phase of how keycloak can be used at it's full potential.
|
|
|
| | |
|
|
|
| |
NemesDan/keycloak
keycloak POC projects | |
|
|
There are multiple maven projects on this branch.1. Project GSDKeycloakProject with 3
modules: customer-app, product-app and database-service. The last mentioned module is the
bearer-only application in which the REST services are implemented. database-service:
contains two classes ProductService and CustomerService which implement REST services that
are accessible only to logged users that have the correct role assigned.
2. KeycloakAccess - should be ignored, out of the scope of the problem
3. RestClientApplication - a maven web project in which the entire workflow is
implemented. This simulates a client application that will login a user using keycloak,
retrieve a token and use that token to access the "database-service" bearer-only
application.
In class RestService you can find the following implemented REST web services
3.1 GET request on http://localhost:8080/TestRestProject/rest/service/login ->
redirects user to the keycloak login page to perform the login. After login, keycloak
redirects the user to to http://localhost:8080/TestRestProject/rest/service/user_logged_in
. At this point the code is exchanged for token.
3.2 GET request
on http://localhost:8080/TestRestProject/rest/service/call_database/{param}
- {param} could be either products or customers
- this web service call will use the token from step 3.1 to access the
database-service bearer only REST services
3.3 GET request on {URL}/logout or {URL}/logout_2
- these requests were created in order to test the logout functionality but it
seems that the database-service REST services are still accessible after the logout has
been performed which after my knowledge means that the token has not been invalidated
The key point of these projects is to avoid using any keycloak classes to implement the
client application because we do not want to force the clients to use a specific library.
If I missed something please let me know.I appreciate your help.
Thank you,Dan Nemes
On Sunday, January 21, 2018 12:11 PM, Sebastien Blanc <sblanc(a)redhat.com>
wrote:
Hi,
Which version of Keycloak are you using ? Which adapters are you using for the client and
bearer-only apps ? We need this info. And yes sharing your project (through github for
instance) could be really helpful.
On Sun, Jan 21, 2018 at 10:17 AM, Dan Nemes <dan.nemes(a)ymail.com> wrote:
Hello,
I am unable to logout an user. The logout works for a "confidential"
applications but it doesn't for a "bearer-only" application (the REST
services are still accessible after logout).
I have the following configuration:
- I have one "database" client application defined in Keycloak having access
type "bearer-only" (created with the intent of exposing REST web services
protected by Keycloak based on user roles)
- I have one "rest_service" client application defined in keycloak having
access type "confidential" (created with the intent of logging in users and
allowing access to the "bearer-only" REST services after a successful login).
The below described workflow is implemented in this application using REST web services
I am performing the following steps:
- An http GET request is performed on URL http://localhost:8180/
auth/realms/demo/protocol/ openid-connect/auth which redirects the user to the login page
handled by Keycloak
- The user performs the login using his credentials (using the credentials of a user
defined in Keycloak)
- Keycloak redirects the user to the "redirect_uri" which was passed in step
1. In this step Keycloak also provides as request parameters the "state" and
"code" values.
- After the user has been redirected back to the application I exchange the
"code" received in step 3 for a token doing a POST request
on http://localhost:8180/auth/ realms/demo/protocol/openid- connect/token which is done
successfully
- After the access token is available I proceed to access the "bearer-only"
REST web services.
note: the REST web services exposed by the "bearer-only" service are not
accessible unless the user has been logged in and it has the correct "role"
assigned to it.Problem: As stated at the start of the post the user is still able to
access the "bearer-only" REST web services after the logout has been done. The
only thing that seems to work is the logout from the "confidential" application
(the user is not able to access the application unless he logs in again).If I perform the
logout of the user then the REST web services exposed by the bearer-only application are
still accessible. In the Keycloak server I get the following WARN message: " Some
clients have been not been logged out for user adminuser in demo realm:
rest_service"I tried implementing the logout in three ways:
- A redirect to URL http://localhost:8180/ auth/realms/demo/protocol/
openid-connect/logoutpassing in the redirect_uri and client_id parameters
- A POST request to http://localhost:8180/auth/ realms/demo/protocol/openid-
connect/logoutpassing in the Authorization Bearer in the header and the client_id,
refresh_token, client_secret and redirect_uri
- A REST service exposed by the "bearer-only" service which does the
following method call: HttpServletRequest request.logout()
Neither of the above methods is working.PS: I did not want to go in to many details
because even so the post is long enough. If I missed something please tell me and I will
provide the additional information (if possible I can also attach the actual projects)
Thank you,Dan Nemes
| | Virus-free. www.avg.com |
______________________________ _________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/ mailman/listinfo/keycloak-user