Keycloak Adapter Set/Remove Cookies Depending on Path - keycloak-user - Jboss List Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Keycloak Adapter Set/Remove Cookies Depending on Path

Major Memory Leak/Consumption When...

Help - two issues

Sarp Kaya

Thursday, 23 June 2016 Thu, 23 Jun '16

4:06 a.m.

According to this code: <https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-co... The cookie is only reset at the place where the logout path is. For instance: Applications serve at /foo/app and /bar/app And logout path is just /logout In that case that won't work because cookiePath for removeCookie would be /logout. The problem is the user is still logged in within the period of Access Token Lifespan. It doesn't make sense to have different logout URL for each application as such /bar/logout and /foo/logout . Is there a way to just keep single logout which logs out the user for each application? Thanks, Sarp Kaya

Attachments:

attachment.html (text/html — 1.7 KB)

Reply

Show replies by date

Stian Thorgersen

Tuesday, 28 June Tue, 28 Jun

3:45 p.m.

Sounds like you have two separate applications? If so they'll have separate cookies, sessions, etc.. and would have to be logged-out separately. Not quite sure where you're getting '/logout' from either. To logout you should use HttpServletRequest.logout which will redirect to Keycloak to properly do the logout. This will logout the application that the user initiated the logout from, as well as send a backchannel request to other applications to log them out. On 23 June 2016 at 04:06, Sarp Kaya <akaya(a)expedia.com> wrote:

According to this code: <https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-co... <https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-co... https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-co... The cookie is only reset at the place where the logout path is. For instance: Applications serve at /foo/app and /bar/app And logout path is just /logout In that case that won’t work because cookiePath for removeCookie would be /logout. The problem is the user is still logged in within the period of Access Token Lifespan. It doesn’t make sense to have different logout URL for each application as such /bar/logout and /foo/logout . Is there a way to just keep single logout which logs out the user for each application? Thanks, Sarp Kaya _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Reply

2852

days inactive

2857

days old

keycloak-user@lists.jboss.org

Manage subscription

1 comments

2 participants

tags (0)

participants (2)

Sarp Kaya
Stian Thorgersen