There's no standard way of doing backchannel logout with OAuth2. There's a
draft spec for OpenID Connect that we may implement in the future.
Keycloak has it's own proprietary backchannel logout, but that's only for
applications that do the login. In your case as it's a JS app that obtains
the tokens there's no backchannel logout involved and instead it relies on
the session cookie + access token timeout. Assuming your JEE app is a rest
service it should create a session that allows invoking without a access
token from the JS app. That way it won't be possible for the JS app to
invoke it once the session is logged out as it won't be able to obtain new
access tokens.
On 29 December 2016 at 11:27, Dan Østerberg <dan(a)ren.no> wrote:
Hi,
How can we make single sign out work when passing bearer tokens to a
server guarded by a «traditional» session based Oauth2 client / adapter?
Lets say we use bearer authentication via the Javascript adapter, and make
REST requests to a stateless (no session) server. Lets further say that
during some later request, a server session will be created – either
intentionally to store state, or unintentionally e.g. by some shared code
(since sessions are auto-created in Java EE). Now single sign out won’t
work, because Keycloak is neither aware of the server session nor the
Oauth2 client that has an admin URL.
One solution could be to detect the creation of a session, and internally
via an extended REST API tell the Keycloak server to create a session also
for the client with admin URL (connecting it to the created session ID).
But it just sounds as if this should be covered out-of-the-box, so maybe
I’m just missing or misunderstanding something...
~Dan
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user