Re: [keycloak-user] keycloak does not send backchannel logout requests to Admin URL

The adapter creates REST endpoints to listen to the logout event. Suppose there are 2 apps under SSO. You execute log-out from one of them. Another one is receiving backchannel call from Keycloak about the log-out event to immediately terminate session. Otherwise the 2'nd app will know about session invalidation only after next request to keycloak (e.g. for refreshing a token). I've been using Keycloak Spring Security Adapter 7.0.1 with Keycloak 7.0.1 however it still contained a bug for Single Logout that's why I had to promote a fix for https://issues.jboss.org/browse/KEYCLOAK-10266. Until keycloak 8 is released I had to apply a workaround of custom HttpSessionManager registration. On Tue, Nov 12, 2019 at 6:09 AM mn(a)fstrk.io <mailto:mn@fstrk.io> <mn(a)fstrk.io <mailto:mn@fstrk.io>> wrote: Anyway, if you've made this work, please specify the versions of the libraries you used; I will find a Java friend to put them together, and then I'll look at HTTP requests issued and implement them in Python :) 11.11.19 23:06, Leonid Rozenblyum пишет: > Well since Spring Security adapter is used inside Java client > software to secure communication with Keycloak, and you're > developing your software in Python - it seems to be another > problem... > > According to the docs: > > > *Admin URL* > For _Keycloak specific_ client adapters, this is the callback > endpoint for the client. The Keycloak server will use this URI to > make callbacks like pushing revocation policies, performing > backchannel logout, and other administrative operations. For > Keycloak servlet adapters, this can be the root URL of the > servlet application. For more information see Securing > Applications and Services Guide. > > It looks like Python OIDC library is not keycloak-specific, so > Admin URL is NOT an option to set up backchannel logout. > > On Mon, Nov 11, 2019 at 9:41 PM mn(a)fstrk.io <mailto:mn@fstrk.io> > <mn(a)fstrk.io <mailto:mn@fstrk.io>> wrote: > > I would love to try it, but I am a Python guy and I am not > sure how to figure out Keycloak internals :) is there anyway > you can point me to look for the instructions on how to do it? > > > > 11.11.19 22:27, Leonid Rozenblyum пишет: >> Ok, I see. >> But do you use Spring Security adapter in your application? >> If yes, a workaround for KEYCLOAK-10266 >> <https://issues.jboss.org/browse/KEYCLOAK-10266> is possible >> even before 8.0.0 release. >> >> On Mon, Nov 11, 2019 at 6:48 PM mn(a)fstrk.io >> <mailto:mn@fstrk.io> <mn(a)fstrk.io <mailto:mn@fstrk.io>> wrote: >> >> I am using the Docker version, and 8.0.0 has not been >> released in Docker yet: >> https://hub.docker.com/r/jboss/keycloak/tags >> >> so I guess the only option for me is wait for the 8.0.0 >> Docker release then. >> >> >> 11.11.19 17:56, Leonid Rozenblyum пишет: >>> Hi. What adapter are you using? >>> Spring Security adapter had a bug which was recently >>> fixed and the fix should be part of 8.0.0 >>> https://issues.jboss.org/browse/KEYCLOAK-10266 >>> >>> On Mon, Nov 11, 2019 at 6:14 AM mn(a)fstrk.io >>> <mailto:mn@fstrk.io> <mn(a)fstrk.io <mailto:mn@fstrk.io>> >>> wrote: >>> >>> I created a client in Keycloak and set up a test >>> admin URL >>> https://webhook.site/12c50381-0814-441a-82bb-1a68c8366a60 >>> (this is a >>> webhook testing site). >>> >>> After that, I performed an OpenID login via this >>> client, and then sent a >>> logout request to Keycloak. >>> >>> >>> I did this a couple of times, and tried two ways of >>> logging a user out: >>> >>> - redirecting to >>> http://.../auth/realms/myrealm/protocol/openid-connect/logout >>> >>> <http://127.0.0.1:8080/auth/realms/myrealm/protocol/openid-connect/logout> >>> >>> - force logging out of the user via Keycloak admin >>> interface: >>> http://prntscr.com/pv1v76 >>> >>> The user indeed gets logged out. However, in both >>> of these cases I don't >>> see any requests coming out from Keycloak. The >>> testing website shows >>> zero registered requests. >>> >>> >>> How do I make this work? >>> >>> >>> >>> >>> -- >>> Mikhail Novikov >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user(a)lists.jboss.org >>> <mailto:keycloak-user@lists.jboss.org> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> -- >> Михаил Новиков >> Ведущий разработчик >> fstrk.io <http://fstrk.io> >> > > -- > Михаил Новиков > Ведущий разработчик > fstrk.io <http://fstrk.io> > -- Михаил Новиков Ведущий разработчик fstrk.io <http://fstrk.io>