Our application has 2 clients:
1. A Confidential Client that uses the Spring Security Adapter
2. A Public Client that uses the JavaScript Adapter for an Angular SPA app.
Everything between the two is working fine until I try to logout under certain conditions.
Logout works fine if I first: deep link into a protected page in my app. The
SpringSecurity adapter for client# 1 redirects me to Keycloak. Keycloack then logs me in
and sends me back to my app where my token was issued for client #1. If I logout under
this scenario via the SpringSecurity adapter it works fine.
In Scenario #2 I first hit an Angular page in my app. Then I log in from the JS Adapter
in client #2. Then through a Rest call to my Spring App (which a Bearer token is passed)
a java session is established on Tomcat. When I put some break points in the Keycloak
Adapter classes I can see that the KeycloakToken only contains the token in this scenario,
but not the refresh token. I can also see that the token was issued for client #2. When
I try to logout, the adapter sends a request to Keycloak with an empty refresh_token and
keycloak returns a 400 error, thus nullifying the logout.
I also tried another scenario where use the JS Adapter get the logout URL and logout
directly to Keycloak via “window.location = keycloak.createLogoutUrl({ redirectUri:
“/site-url”) }). This actually logs out the user from all clients (which is what I want),
but the problem here is on the next request to the Spring app I think there is still an
HttpSession alive and I’m running into the check in
SpringSecurityTokenStore.saveAccountInfo where it throws an exception because there is
already an (old) token inside the SecurityContextHolder.
Any advice on how to proceed from either of these two scenarios?
--
Christopher Savory
Software Engineer | EdLogics