7:29 a.m.
To add something else:
I discovered I was changing JSESSIONID after successfull login in a
callback servlet. I removed that because Keycloak itself is invalidating
old session and assigning a new id.
Otherwise, for my surprise after logout session from keycloak admin
console, session remains active and I am still logged in application.
Any tip is appreciated.
Regards,
Juan
On Wed, Jan 31, 2018 at 12:20 PM Juan Pablo Perata <jpperata(a)gmail.com>
wrote:
Hello,
This issue seems application specific, but I could not reach to the root
yet.
I would like to know if someone faced this in Keycloak Admin Console or
some tips you could give me to see what is going on.
*Environment*
Web application running on Wildfly 10.1.0.Final and secured with Keycloak.
Keycloak 3.4.3.Final server running in <IP>:<PORT1>
Wildfly 10.1.0.Final server running in <IP>:<PORT2>
*Description*
Found that session logout from Keycloak admin does not have effect for
federated users in my web application.
Steps:
- develop your own user federation provider to connect to internal
database (implements interfaces _UserStorageProvider,
CredentialInputValidator, UserLookupProvider, OnUserCache_)
- properly configured user federation provider in keycloak realm
- configure and deploy a JSF based web OIDC client application in Wildfly
secured by Keycloak
- Go to: _<IP>:<PORT2>/<web-application_uri>_ and authenticate using
federation provider
Authentication succeeded
- Go to Keycloak Console -> Realm -> Sessions -> (select web application
client) -> Show sessions. Then select <user-authenticated> from displayed
table -> "Sessions" tab
- Click "Logout all sessions" or "Logout" the specific session. A
success
message is displayed and session disappears from table.
- Go to _<IP>:<PORT2>/<web-application_uri>_ and check that session is
still alive and user is authenticated.
- Checked in a Filter in web application that
"org.keycloak.KeycloakSecurityContext" security context is present with
information from logged in user.
*To note:*
- (correct behaviour) If logout is performed from web application, single
sign on session is logged out properly (HttpRequest.logout()).
- (correct behaviour) Tested behaviour with [product-portal sample |
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/p...]
application and *it works ok as expected*.
Tested with users loaded in "demo" json and also using my own user
federation provider and works well.
Thanks in advance,
Juan