Re: [keycloak-user] Admin url for bearer-only applications

From: "Alarik Myrin" <alarik(a)zwift.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: keycloak-user(a)lists.jboss.org Sent: Friday, 12 September, 2014 1:04:39 PM Subject: Re: [keycloak-user] Admin url for bearer-only applications Thanks Stain. Then what is the purpose of the Admin URL when setting up the bearer-only application in the console? Perhaps it should be removed? Or is there some way that the bearer-only application could still maintain a "has-logged-out" list (which is would find out about via the admin-url against which to validate a token? Perhaps using timestamps, which presumably is how the token lifespan stuff is checked too? On Fri, Sep 12, 2014 at 5:23 AM, Stian Thorgersen <stian(a)redhat.com&gt; wrote: > Bearer-only applications doesn't manage user sessions, they simply > authenticate based on the token in the request. > > When a user logs out, the applications where a user has directly logged in > to (confidential or public) should drop the user session. Confidential apps > do this with the request from the server which will in turn invalidate the > session in the app. Public apps (using keycloak.js) does this by detecting > the logout from the session iframe. > > You should obviously also have a short "Access Token Lifespan" configured > for your realm, this makes sure that any tokens are quickly expired after a > logout. As the user session is invalidated on the server, any associated > refresh tokens will be expired as well, so it won't be possible for an app > to retrieve a new token after the user has logged out. > > ----- Original Message ----- > > From: "Alarik Myrin" <alarik(a)zwift.com&gt; > > To: keycloak-user(a)lists.jboss.org > > Sent: Thursday, 11 September, 2014 8:52:50 PM > > Subject: [keycloak-user] Admin url for bearer-only applications > > > > I am not sure the Admin url is working for bearer-only applications, at > least > > not on Wildfly. > > > > I have set the admin url for my bearer-only applications just like I do > for > > my confidential applications. In both cases (they are both war file > > deployments running in Wildfly 8.0.0 Final) it is the context-root of the > > war file. When I log out the sessions from the keycloak admin console, > the > > confidential applications hear about the logout, and will respond with a > > redirect, but the bearer-only reply with the protected resource instead > of > > responding with a 401 like I would expect. > > > > Is anyone else having trouble with this? There are no bearer-only > resources > > in the preconfigured-demo realm file to check against... > > > > BTW, I just verified that this was happening with Keycloak 1.0-final. > > > > Thanks, > > > > Alarik > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user >