Re: [keycloak-user] KEYCLOAK SAML logout not working as documented

Monday, 17 June 2019

Hello Manuel,

please refer the documentation:
https://www.keycloak.org/docs/latest/securing_apps/index.html#_servlet_fi...
<https://www.keycloak.org/docs/latest/securing_apps/index.html#_servlet_fi...;.
When you work within a servlet filter it will act as the same. 

In case of a java servlet filter client adapter the backchannel logout work different!
Instead of invalidating the session, you will be marked as logged out. 

In your case, implement the logout inside your code which is in the application server
like the web application and NOT in an external filter.

With best regards,

Bjoern

...
 Am 17.06.2019 um 18:56 schrieb Manuel Waltschek
<manuel.waltschek(a)prisma-solutions.at
<mailto:manuel.waltschek@prisma-solutions.at>>:

 Hello KC Community,

 I am still trying to find out how to properly logout from keycloak using the kc adapter
on wildfly10.
 Documentation says

 3.1.8. Logout

 There are multiple ways you can logout from a web application. For Java EE servlet
containers, you can call HttpServletRequest.logout(). For any other browser application,
you can point the browser at any url of your web application that has a security
constraint and pass in a query parameter GLO, i.e. http://myapp?GLO=true
<http://myapp/?GLO=true>;. This will log you out if you have an SSO session with your
browser.
 As HttpServletRequest.logout() in Undertows implementation
io.undertow.servlet.spec.HttpServletRequestImpl checks isInvalidateSessionOnLogout returns
false in my case it does not much.

    @Override
    public void logout() throws ServletException {
        SecurityContext sc = exchange.getSecurityContext();
        sc.logout();

if(servletContext.getDeployment().getDeploymentInfo().isInvalidateSessionOnLogout()) {
            HttpSession session = getSession(false);
            if(session != null) {
                session.invalidate();
            }
        }
    }

 Im calling HttpServletRequest.logout() in a ServletFilter implementation, but it does not
 end the keycloak session and I can still reach protected ressources. There is no
backchannel request as I would expect.
 When I do the following:

  private void requestGlobalLogout(HttpServletRequest req, HttpServletResponse resp)
      throws ServletException, IOException {
    String contextPath = req.getContextPath();
    req.logout();
    resp.sendRedirect(contextPath + "?GLO=true");

 it somehow works, but sends another AuthnRequest before sending the LogoutRequest. Then
the LogoutResponse ist posted to myapp/saml again which leads to http Status code 403
forbidden.

 Please also see:

 https://issues.jboss.org/browse/KEYCLOAK-2191
<https://issues.jboss.org/browse/KEYCLOAK-2191>

 and https://lists.jboss.org/pipermail/keycloak-user/2017-July/011207.html

 Regards,

 [Logo]to m

 Manuel Waltschek BSc.

 +43 660 86655 47<tel:+436608665547>
 manuel.waltschek@prisma-solutions.at<mailto:manuel.waltschek@prisma-solutions.at>
 https://www.prisma-solutions.com

 PRISMA solutions EDV-Dienstleistungen GmbH
 Klostergasse 18, 2340 Mödling, Austria
 Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt
 <image001.png>_______________________________________________
 keycloak-user mailing list
 keycloak-user(a)lists.jboss.org
 https://lists.jboss.org/mailman/listinfo/keycloak-user 

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Re: [keycloak-user] KEYCLOAK SAML logout not working as documented