Re: [keycloak-user] Having difficulty logging out in a 2 client scenario
Sounds like the Spring Security Adapter is services and not a web app? If
so it shouldn't deal with logins and logouts at all. It should be
configured as a bearer-only client.
On 1 November 2016 at 00:11, Chris Savory <chris.savory(a)edlogics.com> wrote:
Our application has 2 clients:
1. A Confidential Client that uses the Spring Security Adapter
2. A Public Client that uses the JavaScript Adapter for an Angular SPA app.
Everything between the two is working fine until I try to logout under
certain conditions.
Logout works fine if I first: deep link into a protected page in my app.
The SpringSecurity adapter for client# 1 redirects me to Keycloak.
Keycloack then logs me in and sends me back to my app where my token was
issued for client #1. If I logout under this scenario via the
SpringSecurity adapter it works fine.
In Scenario #2 I first hit an Angular page in my app. Then I log in from
the JS Adapter in client #2. Then through a Rest call to my Spring App
(which a Bearer token is passed) a java session is established on Tomcat.
When I put some break points in the Keycloak Adapter classes I can see that
the KeycloakToken only contains the token in this scenario, but not the
refresh token. I can also see that the token was issued for client #2.
When I try to logout, the adapter sends a request to Keycloak with an empty
refresh_token and keycloak returns a 400 error, thus nullifying the logout.
I also tried another scenario where use the JS Adapter get the logout URL
and logout directly to Keycloak via “window.location =
keycloak.createLogoutUrl({ redirectUri: “/site-url”) }). This actually
logs out the user from all clients (which is what I want), but the problem
here is on the next request to the Spring app I think there is still an
HttpSession alive and I’m running into the check in
SpringSecurityTokenStore.saveAccountInfo where it throws an exception
because there is already an (old) token inside the SecurityContextHolder.
Any advice on how to proceed from either of these two scenarios?
--
Christopher Savory
Software Engineer | EdLogics
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user