Re: [keycloak-user] Admin url for bearer-only applications
Bearer-only applications doesn't manage user sessions, they simply authenticate based
on the token in the request.
When a user logs out, the applications where a user has directly logged in to
(confidential or public) should drop the user session. Confidential apps do this with the
request from the server which will in turn invalidate the session in the app. Public apps
(using keycloak.js) does this by detecting the logout from the session iframe.
You should obviously also have a short "Access Token Lifespan" configured for
your realm, this makes sure that any tokens are quickly expired after a logout. As the
user session is invalidated on the server, any associated refresh tokens will be expired
as well, so it won't be possible for an app to retrieve a new token after the user has
logged out.
----- Original Message -----
From: "Alarik Myrin" <alarik(a)zwift.com>
To: keycloak-user(a)lists.jboss.org
Sent: Thursday, 11 September, 2014 8:52:50 PM
Subject: [keycloak-user] Admin url for bearer-only applications
I am not sure the Admin url is working for bearer-only applications, at least
not on Wildfly.
I have set the admin url for my bearer-only applications just like I do for
my confidential applications. In both cases (they are both war file
deployments running in Wildfly 8.0.0 Final) it is the context-root of the
war file. When I log out the sessions from the keycloak admin console, the
confidential applications hear about the logout, and will respond with a
redirect, but the bearer-only reply with the protected resource instead of
responding with a 401 like I would expect.
Is anyone else having trouble with this? There are no bearer-only resources
in the preconfigured-demo realm file to check against...
BTW, I just verified that this was happening with Keycloak 1.0-final.
Thanks,
Alarik
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user