Re: [keycloak-user] Admin url for bearer-only applications
Thanks Stain.
Then what is the purpose of the Admin URL when setting up the bearer-only
application in the console? Perhaps it should be removed?
Or is there some way that the bearer-only application could still maintain
a "has-logged-out" list (which is would find out about via the admin-url
against which to validate a token? Perhaps using timestamps, which
presumably is how the token lifespan stuff is checked too?
On Fri, Sep 12, 2014 at 5:23 AM, Stian Thorgersen <stian(a)redhat.com> wrote:
Bearer-only applications doesn't manage user sessions, they
simply
authenticate based on the token in the request.
When a user logs out, the applications where a user has directly logged in
to (confidential or public) should drop the user session. Confidential apps
do this with the request from the server which will in turn invalidate the
session in the app. Public apps (using keycloak.js) does this by detecting
the logout from the session iframe.
You should obviously also have a short "Access Token Lifespan" configured
for your realm, this makes sure that any tokens are quickly expired after a
logout. As the user session is invalidated on the server, any associated
refresh tokens will be expired as well, so it won't be possible for an app
to retrieve a new token after the user has logged out.
----- Original Message -----
> From: "Alarik Myrin" <alarik(a)zwift.com>
> To: keycloak-user(a)lists.jboss.org
> Sent: Thursday, 11 September, 2014 8:52:50 PM
> Subject: [keycloak-user] Admin url for bearer-only applications
>
> I am not sure the Admin url is working for bearer-only applications, at
least
> not on Wildfly.
>
> I have set the admin url for my bearer-only applications just like I do
for
> my confidential applications. In both cases (they are both war file
> deployments running in Wildfly 8.0.0 Final) it is the context-root of the
> war file. When I log out the sessions from the keycloak admin console,
the
> confidential applications hear about the logout, and will respond with a
> redirect, but the bearer-only reply with the protected resource instead
of
> responding with a 401 like I would expect.
>
> Is anyone else having trouble with this? There are no bearer-only
resources
> in the preconfigured-demo realm file to check against...
>
> BTW, I just verified that this was happening with Keycloak 1.0-final.
>
> Thanks,
>
> Alarik
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
Attachments:
- attachment.html (text/html — 3.4 KB)