New subject: How to logout

Tuesday, 14 August 2018

Hi Stan,
  I'm not sure if it is an issue or just the way it is supposed to work.  Again,
HttpServletRequest.logout() does work when the servlet container itself believes a user is
logged in.  The case in which it appears to be a no-op is when the servlet container is
not aware of any login.  This might be okay?  Not sure?   The problem is that a user can
be logged into Keycloak, but not logged into the servlet container.  In this case how do I
log the user out?  Perhaps I should use the alternative method, the URL:
https://authserver/auth/{realm-name}/protocol/openid-connect/logout?redir...
 However, having a logout anchor (link) that navigates to that URL does not destroy the
Keycloak login.  Perhaps I need to add some authentication header, bearer token, or
something else along with the GET HTTP request?  Watching the network requests using the
developer console of a web browser I see that even after the logout request to Keycloak if
I attempt a login immediately after I see the KC_RESTART cookie is used (so a token must
still exist?) and I am logged in automatically without being prompted for username or
password - so... the logout URL didn't seem to work.

Thanks,

Ryan

----- Original Message -----
From: "Stan Silvert" <ssilvert(a)redhat.com&gt;
To: "keycloak-user" <keycloak-user(a)lists.jboss.org&gt;
Sent: Monday, August 13, 2018 7:15:15 PM
Subject: Re: [keycloak-user] How to logout

HttpServletRequest.logout() should not be a no-op.  It was implemented a 
long time ago:
https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_bro...

If there is an issue with it you should report it in JIRA.

Stan

On 8/13/2018 4:19 PM, Ryan Slominski wrote:
...
 Hi Keycloak Users,

 I'm using the Wildfly client adapter and trying to logout of Keycloak, even if a
client application container doesn't think it is logged in.  This is a problem because
login state with Keycloak and login state with JSESSION_ID in servlet container are two
separate things that can get out-of-sync.  The documentation says you can logout in one of
two ways:

 1. Call HttpServletRequest.logout()
 2. Navigate to URL
https://urldefense.proofpoint.com/v2/url?u=http-3A__auth-2Dserver_auth_re...
{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri

 See:
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_doc...

 The first appears to be a no-op because the Java container itself isn't logged in, in
this case.  This does work if the client container is aware that it is logged in, but
doesn't otherwise.  The second also doesn't seem to do anything and just redirects
back to redirect_uri.  Any tips?

 A forceful logout is useful in the scenario when one client (client A) logs into
Keycloak, and a different client (cilent B) wants to forcefully logout as to switch users.
 In this scenario client B doesn't think it is logged in because the client adapter is
using container managed security with JSESSIONID, and locally the client isn't logged
in.  However if a login was attempted it would succeed automatically without prompting for
a username and password and therefore the user wouldn't get a chance to provide an
alternate username.  A switch user ability is useful when users need to login with
separate admin credentials or also in scenarios where a user says "move over and
I'll drive" to a colleague.

 Thanks,

 Ryan
 _______________________________________________
 keycloak-user mailing list
 keycloak-user(a)lists.jboss.org

https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...

_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Re: [keycloak-user] How to logout