10:08 a.m.
Hi,
We are working on Keycloak 1.9.3 with spring security, and trying to implement backchannel
logout (one application performs logout and the second application is not aware of it).
We would appreciate if you kindly could advice regarding the below:
1. What is the best practice to handle backchannel logout ? more specifically where
and how the access token validation should be performed (how the second application should
know that the first one performed the logout ?) ?
2. We have noticed that Keycloak spring security filters (straight from
documentation) don't try to authenticate the token after it revokes. What's the
best practice to handle access token expiration ? is it implemented by keycloak or should
we handle it in the server or client side ?
3. getToken() method of RefreshableKeycloakSecurityContext does not fail if the
token is expired, is it on purpose ? if so should we handle it in our application code ?
4. We have implemented the KeycloakOIDCFilter, but it doesn't empty the spring
security authentication object (SecurityContextHolder.getContext().getAuthentication())
after logout, as a result the client 'thinks' it is still authenticated,
what's the best practice to handle it ?
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from
disclosure, and may be privileged. The information is intended to be conveyed only to the
designated recipient(s) of the message. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, use, distribution or copying of
this communication is strictly prohibited and may be unlawful. If you have received this
communication in error, please notify us immediately by replying to the message and
deleting it from your computer. Thank you.
2:52 p.m.
in the community, we only support support the latest release. A lot has
changed since 1.9.3. 1.9.4-1.9.8 resolved a ton of tickets and there's
been a lot of features and refactoring since last April. You can get
commercial support from Red Hat for 1.9.x via the RH-SSO product.
RH-SSO 7.0 is based off of Keycloak 1.9.8.
As for your question, hopefully somebody else chimes in as I know
nothing about the spring security integration. What you may have not
configured in the Keycloak admin console page is the admin endpoint.
This is a proprietary endpoint that keycloak adapters expose to receive
back-channel logout events. If this URL is not set, then a backchannel
logout request is not sent to the application. I"m not sure if our
spring adapter supports backchannel logout.
Not much help, but its the most I can offer at the moment.
On 11/17/16 11:08 AM, Haim Vana wrote:
Hi,
We are working on Keycloak 1.9.3 with spring security, and trying to implement
backchannel logout (one application performs logout and the second application is not
aware of it).
We would appreciate if you kindly could advice regarding the below:
1. What is the best practice to handle backchannel logout ? more specifically where
and how the access token validation should be performed (how the second application should
know that the first one performed the logout ?) ?
2. We have noticed that Keycloak spring security filters (straight from
documentation) don't try to authenticate the token after it revokes. What's the
best practice to handle access token expiration ? is it implemented by keycloak or should
we handle it in the server or client side ?
3. getToken() method of RefreshableKeycloakSecurityContext does not fail if the
token is expired, is it on purpose ? if so should we handle it in our application code ?
4. We have implemented the KeycloakOIDCFilter, but it doesn't empty the spring
security authentication object (SecurityContextHolder.getContext().getAuthentication())
after logout, as a result the client 'thinks' it is still authenticated,
what's the best practice to handle it ?
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from
disclosure, and may be privileged. The information is intended to be conveyed only to the
designated recipient(s) of the message. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, use, distribution or copying of
this communication is strictly prohibited and may be unlawful. If you have received this
communication in error, please notify us immediately by replying to the message and
deleting it from your computer. Thank you.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3294
days inactive
3295
days old
1 comments
2 participants
participants (2)
-
Bill Burke -
Haim Vana