3:17 a.m.
Hello,
I am unable to logout an user. The logout works for a "confidential"
applications but it doesn't for a "bearer-only" application (the REST
services are still accessible after logout).
I have the following configuration:
- I have one "database" client application defined in Keycloak having access
type "bearer-only" (created with the intent of exposing REST web services
protected by Keycloak based on user roles)
- I have one "rest_service" client application defined in keycloak having
access type "confidential" (created with the intent of logging in users and
allowing access to the "bearer-only" REST services after a successful login).
The below described workflow is implemented in this application using REST web services
I am performing the following steps:
- An http GET request is performed on
URL http://localhost:8180/auth/realms/demo/protocol/openid-connect/auth which redirects
the user to the login page handled by Keycloak
- The user performs the login using his credentials (using the credentials of a user
defined in Keycloak)
- Keycloak redirects the user to the "redirect_uri" which was passed in step
1. In this step Keycloak also provides as request parameters the "state" and
"code" values.
- After the user has been redirected back to the application I exchange the
"code" received in step 3 for a token doing a POST request
on http://localhost:8180/auth/realms/demo/protocol/openid-connect/token which is done
successfully
- After the access token is available I proceed to access the "bearer-only"
REST web services.
note: the REST web services exposed by the "bearer-only" service are not
accessible unless the user has been logged in and it has the correct "role"
assigned to it.Problem: As stated at the start of the post the user is still able to
access the "bearer-only" REST web services after the logout has been done. The
only thing that seems to work is the logout from the "confidential" application
(the user is not able to access the application unless he logs in again).If I perform the
logout of the user then the REST web services exposed by the bearer-only application are
still accessible. In the Keycloak server I get the following WARN message: " Some
clients have been not been logged out for user adminuser in demo realm:
rest_service"I tried implementing the logout in three ways:
- A redirect to
URL http://localhost:8180/auth/realms/demo/protocol/openid-connect/logoutpassing in the
redirect_uri and client_id parameters
- A POST request
to http://localhost:8180/auth/realms/demo/protocol/openid-connect/logoutpassing in the
Authorization Bearer in the header and the client_id, refresh_token, client_secret and
redirect_uri
- A REST service exposed by the "bearer-only" service which does the
following method call: HttpServletRequest request.logout()
Neither of the above methods is working.PS: I did not want to go in to many details
because even so the post is long enough. If I missed something please tell me and I will
provide the additional information (if possible I can also attach the actual projects)
Thank you,Dan Nemes
| | Virus-free. www.avg.com |