10:09 p.m.
Anyway, if you've made this work, please specify the versions of the
libraries you used; I will find a Java friend to put them together, and
then I'll look at HTTP requests issued and implement them in Python :)
11.11.19 23:06, Leonid Rozenblyum пишет:
Well since Spring Security adapter is used inside Java client
software
to secure communication with Keycloak, and you're developing your
software in Python - it seems to be another problem...
According to the docs:
*Admin URL*
For _Keycloak specific_ client adapters, this is the callback endpoint
for the client. The Keycloak server will use this URI to make
callbacks like pushing revocation policies, performing backchannel
logout, and other administrative operations. For Keycloak servlet
adapters, this can be the root URL of the servlet application. For
more information see Securing Applications and Services Guide.
It looks like Python OIDC library is not keycloak-specific, so Admin
URL is NOT an option to set up backchannel logout.
On Mon, Nov 11, 2019 at 9:41 PM mn(a)fstrk.io <mailto:mn@fstrk.io>
<mn(a)fstrk.io <mailto:mn@fstrk.io>> wrote:
I would love to try it, but I am a Python guy and I am not sure
how to figure out Keycloak internals :) is there anyway you can
point me to look for the instructions on how to do it?
11.11.19 22:27, Leonid Rozenblyum пишет:
> Ok, I see.
> But do you use Spring Security adapter in your application?
> If yes, a workaround for KEYCLOAK-10266
> <https://issues.jboss.org/browse/KEYCLOAK-10266> is possible even
> before 8.0.0 release.
>
> On Mon, Nov 11, 2019 at 6:48 PM mn(a)fstrk.io <mailto:mn@fstrk.io>
> <mn(a)fstrk.io <mailto:mn@fstrk.io>> wrote:
>
> I am using the Docker version, and 8.0.0 has not been
> released in Docker yet:
> https://hub.docker.com/r/jboss/keycloak/tags
>
> so I guess the only option for me is wait for the 8.0.0
> Docker release then.
>
>
> 11.11.19 17:56, Leonid Rozenblyum пишет:
>> Hi. What adapter are you using?
>> Spring Security adapter had a bug which was recently fixed
>> and the fix should be part of 8.0.0
>> https://issues.jboss.org/browse/KEYCLOAK-10266
>>
>> On Mon, Nov 11, 2019 at 6:14 AM mn(a)fstrk.io
>> <mailto:mn@fstrk.io> <mn(a)fstrk.io <mailto:mn@fstrk.io>>
wrote:
>>
>> I created a client in Keycloak and set up a test admin URL
>> https://webhook.site/12c50381-0814-441a-82bb-1a68c8366a60
>> (this is a
>> webhook testing site).
>>
>> After that, I performed an OpenID login via this client,
>> and then sent a
>> logout request to Keycloak.
>>
>>
>> I did this a couple of times, and tried two ways of
>> logging a user out:
>>
>> - redirecting to
>> http://.../auth/realms/myrealm/protocol/openid-connect/logout
>>
>>
<http://127.0.0.1:8080/auth/realms/myrealm/protocol/openid-connect/logout>
>>
>> - force logging out of the user via Keycloak admin
>> interface:
>> http://prntscr.com/pv1v76
>>
>> The user indeed gets logged out. However, in both of
>> these cases I don't
>> see any requests coming out from Keycloak. The testing
>> website shows
>> zero registered requests.
>>
>>
>> How do I make this work?
>>
>>
>>
>>
>> --
>> Mikhail Novikov
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> <mailto:keycloak-user@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
> --
> Михаил Новиков
> Ведущий разработчик
> fstrk.io <http://fstrk.io>
>
--
Михаил Новиков
Ведущий разработчик
fstrk.io <http://fstrk.io>
--
Михаил Новиков
Ведущий разработчик
fstrk.io
1:16 a.m.
New subject: keycloak does not send backchannel logout requests to Admin URL
The adapter creates REST endpoints to listen to the logout event.
Suppose there are 2 apps under SSO. You execute log-out from one of them.
Another one is receiving backchannel call from Keycloak about the log-out
event to immediately terminate session.
Otherwise the 2'nd app will know about session invalidation only after next
request to keycloak (e.g. for refreshing a token).
I've been using Keycloak Spring Security Adapter 7.0.1 with Keycloak 7.0.1
however it still contained a bug for Single Logout that's why I had to
promote a fix for https://issues.jboss.org/browse/KEYCLOAK-10266.
Until keycloak 8 is released I had to apply a workaround of custom
HttpSessionManager registration.
On Tue, Nov 12, 2019 at 6:09 AM mn(a)fstrk.io <mn(a)fstrk.io> wrote:
Anyway, if you've made this work, please specify the versions of
the
libraries you used; I will find a Java friend to put them together, and
then I'll look at HTTP requests issued and implement them in Python :)
11.11.19 23:06, Leonid Rozenblyum пишет:
Well since Spring Security adapter is used inside Java client software to
secure communication with Keycloak, and you're developing your software in
Python - it seems to be another problem...
According to the docs:
*Admin URL*
For *Keycloak specific* client adapters, this is the callback endpoint
for the client. The Keycloak server will use this URI to make callbacks
like pushing revocation policies, performing backchannel logout, and other
administrative operations. For Keycloak servlet adapters, this can be the
root URL of the servlet application. For more information see Securing
Applications and Services Guide.
It looks like Python OIDC library is not keycloak-specific, so Admin URL
is NOT an option to set up backchannel logout.
On Mon, Nov 11, 2019 at 9:41 PM mn(a)fstrk.io <mn(a)fstrk.io> wrote:
> I would love to try it, but I am a Python guy and I am not sure how to
> figure out Keycloak internals :) is there anyway you can point me to look
> for the instructions on how to do it?
>
>
>
> 11.11.19 22:27, Leonid Rozenblyum пишет:
>
> Ok, I see.
> But do you use Spring Security adapter in your application?
> If yes, a workaround for KEYCLOAK-10266
> <https://issues.jboss.org/browse/KEYCLOAK-10266> is possible even before
> 8.0.0 release.
>
> On Mon, Nov 11, 2019 at 6:48 PM mn(a)fstrk.io <mn(a)fstrk.io> wrote:
>
>> I am using the Docker version, and 8.0.0 has not been released in Docker
>> yet: https://hub.docker.com/r/jboss/keycloak/tags
>>
>> so I guess the only option for me is wait for the 8.0.0 Docker release
>> then.
>>
>>
>> 11.11.19 17:56, Leonid Rozenblyum пишет:
>>
>> Hi. What adapter are you using?
>> Spring Security adapter had a bug which was recently fixed and the fix
>> should be part of 8.0.0 https://issues.jboss.org/browse/KEYCLOAK-10266
>>
>> On Mon, Nov 11, 2019 at 6:14 AM mn(a)fstrk.io <mn(a)fstrk.io> wrote:
>>
>>> I created a client in Keycloak and set up a test admin URL
>>> https://webhook.site/12c50381-0814-441a-82bb-1a68c8366a60 (this is a
>>> webhook testing site).
>>>
>>> After that, I performed an OpenID login via this client, and then sent
>>> a
>>> logout request to Keycloak.
>>>
>>>
>>> I did this a couple of times, and tried two ways of logging a user out:
>>>
>>> - redirecting to
>>> http://.../auth/realms/myrealm/protocol/openid-connect/logout
>>> <
>>> http://127.0.0.1:8080/auth/realms/myrealm/protocol/openid-connect/logout
>>> >
>>>
>>> - force logging out of the user via Keycloak admin interface:
>>> http://prntscr.com/pv1v76
>>>
>>> The user indeed gets logged out. However, in both of these cases I
>>> don't
>>> see any requests coming out from Keycloak. The testing website shows
>>> zero registered requests.
>>>
>>>
>>> How do I make this work?
>>>
>>>
>>>
>>>
>>> --
>>> Mikhail Novikov
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>> --
>> Михаил Новиков
>> Ведущий разработчикfstrk.io
>>
>>
> --
> Михаил Новиков
> Ведущий разработчикfstrk.io
>
>
--
Михаил Новиков
Ведущий разработчикfstrk.io
6:01 a.m.
New subject: keycloak does not send backchannel logout requests to Admin URL
I see, thanks!
But I created a catch-all REST endpoint that would show any requests
coming from keycloak. And it shows none.
Maybe you are executing logout in a different way than me? I just
redirect the user to a logout URL:
http://xxxxx:com/auth/realms/fasttrack/protocol/openid-connect/logout
<http://ec2-52-90-230-56.compute-1.amazonaws.com:9090/auth/realms/fasttrac...
12.11.19 10:16, Leonid Rozenblyum пишет:
The adapter creates REST endpoints to listen to the logout event.
Suppose there are 2 apps under SSO. You execute log-out from one of them.
Another one is receiving backchannel call from Keycloak about the
log-out event to immediately terminate session.
Otherwise the 2'nd app will know about session invalidation only after
next request to keycloak (e.g. for refreshing a token).
I've been using Keycloak Spring Security Adapter 7.0.1 with Keycloak
7.0.1 however it still contained a bug for Single Logout that's why I
had to promote a fix for https://issues.jboss.org/browse/KEYCLOAK-10266.
Until keycloak 8 is released I had to apply a workaround of custom
HttpSessionManager registration.
On Tue, Nov 12, 2019 at 6:09 AM mn(a)fstrk.io <mailto:mn@fstrk.io>
<mn(a)fstrk.io <mailto:mn@fstrk.io>> wrote:
Anyway, if you've made this work, please specify the versions of
the libraries you used; I will find a Java friend to put them
together, and then I'll look at HTTP requests issued and implement
them in Python :)
11.11.19 23:06, Leonid Rozenblyum пишет:
> Well since Spring Security adapter is used inside Java client
> software to secure communication with Keycloak, and you're
> developing your software in Python - it seems to be another
> problem...
>
> According to the docs:
>
>
> *Admin URL*
> For _Keycloak specific_ client adapters, this is the callback
> endpoint for the client. The Keycloak server will use this URI to
> make callbacks like pushing revocation policies, performing
> backchannel logout, and other administrative operations. For
> Keycloak servlet adapters, this can be the root URL of the
> servlet application. For more information see Securing
> Applications and Services Guide.
>
> It looks like Python OIDC library is not keycloak-specific, so
> Admin URL is NOT an option to set up backchannel logout.
>
> On Mon, Nov 11, 2019 at 9:41 PM mn(a)fstrk.io <mailto:mn@fstrk.io>
> <mn(a)fstrk.io <mailto:mn@fstrk.io>> wrote:
>
> I would love to try it, but I am a Python guy and I am not
> sure how to figure out Keycloak internals :) is there anyway
> you can point me to look for the instructions on how to do it?
>
>
>
> 11.11.19 22:27, Leonid Rozenblyum пишет:
>> Ok, I see.
>> But do you use Spring Security adapter in your application?
>> If yes, a workaround for KEYCLOAK-10266
>> <https://issues.jboss.org/browse/KEYCLOAK-10266> is possible
>> even before 8.0.0 release.
>>
>> On Mon, Nov 11, 2019 at 6:48 PM mn(a)fstrk.io
>> <mailto:mn@fstrk.io> <mn(a)fstrk.io <mailto:mn@fstrk.io>>
wrote:
>>
>> I am using the Docker version, and 8.0.0 has not been
>> released in Docker yet:
>> https://hub.docker.com/r/jboss/keycloak/tags
>>
>> so I guess the only option for me is wait for the 8.0.0
>> Docker release then.
>>
>>
>> 11.11.19 17:56, Leonid Rozenblyum пишет:
>>> Hi. What adapter are you using?
>>> Spring Security adapter had a bug which was recently
>>> fixed and the fix should be part of 8.0.0
>>> https://issues.jboss.org/browse/KEYCLOAK-10266
>>>
>>> On Mon, Nov 11, 2019 at 6:14 AM mn(a)fstrk.io
>>> <mailto:mn@fstrk.io> <mn(a)fstrk.io
<mailto:mn@fstrk.io>>
>>> wrote:
>>>
>>> I created a client in Keycloak and set up a test
>>> admin URL
>>> https://webhook.site/12c50381-0814-441a-82bb-1a68c8366a60
>>> (this is a
>>> webhook testing site).
>>>
>>> After that, I performed an OpenID login via this
>>> client, and then sent a
>>> logout request to Keycloak.
>>>
>>>
>>> I did this a couple of times, and tried two ways of
>>> logging a user out:
>>>
>>> - redirecting to
>>>
http://.../auth/realms/myrealm/protocol/openid-connect/logout
>>>
>>>
<http://127.0.0.1:8080/auth/realms/myrealm/protocol/openid-connect/logout>
>>>
>>> - force logging out of the user via Keycloak admin
>>> interface:
>>> http://prntscr.com/pv1v76
>>>
>>> The user indeed gets logged out. However, in both
>>> of these cases I don't
>>> see any requests coming out from Keycloak. The
>>> testing website shows
>>> zero registered requests.
>>>
>>>
>>> How do I make this work?
>>>
>>>
>>>
>>>
>>> --
>>> Mikhail Novikov
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> <mailto:keycloak-user@lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>> --
>> Михаил Новиков
>> Ведущий разработчик
>> fstrk.io <http://fstrk.io>
>>
>
> --
> Михаил Новиков
> Ведущий разработчик
> fstrk.io <http://fstrk.io>
>
--
Михаил Новиков
Ведущий разработчик
fstrk.io <http://fstrk.io>
--
Михаил Новиков
Ведущий разработчик
fstrk.io
2:03 p.m.
New subject: keycloak does not send backchannel logout requests to Admin URL
Hi, I use a similar link to log-out.
Maybe in order to investigate the reason of the issue, you may increase
logging level of keycloak by editing standalone.xml (try setting TRACE
level for org.keycloak package in logging subsystem).
On Tue, Nov 12, 2019 at 2:02 PM mn(a)fstrk.io <mn(a)fstrk.io> wrote:
I see, thanks!
But I created a catch-all REST endpoint that would show any requests
coming from keycloak. And it shows none.
Maybe you are executing logout in a different way than me? I just redirect
the user to a logout URL:
http://xxxxx:com/auth/realms/fasttrack/protocol/openid-connect/logout
<http://ec2-52-90-230-56.compute-1.amazonaws.com:9090/auth/realms/fasttrac...
12.11.19 10:16, Leonid Rozenblyum пишет:
The adapter creates REST endpoints to listen to the logout event.
Suppose there are 2 apps under SSO. You execute log-out from one of them.
Another one is receiving backchannel call from Keycloak about the log-out
event to immediately terminate session.
Otherwise the 2'nd app will know about session invalidation only after
next request to keycloak (e.g. for refreshing a token).
I've been using Keycloak Spring Security Adapter 7.0.1 with Keycloak 7.0.1
however it still contained a bug for Single Logout that's why I had to
promote a fix for https://issues.jboss.org/browse/KEYCLOAK-10266.
Until keycloak 8 is released I had to apply a workaround of custom
HttpSessionManager registration.
On Tue, Nov 12, 2019 at 6:09 AM mn(a)fstrk.io <mn(a)fstrk.io> wrote:
> Anyway, if you've made this work, please specify the versions of the
> libraries you used; I will find a Java friend to put them together, and
> then I'll look at HTTP requests issued and implement them in Python :)
>
> 11.11.19 23:06, Leonid Rozenblyum пишет:
>
> Well since Spring Security adapter is used inside Java client software to
> secure communication with Keycloak, and you're developing your software in
> Python - it seems to be another problem...
>
> According to the docs:
>
>
> *Admin URL*
> For *Keycloak specific* client adapters, this is the callback endpoint
> for the client. The Keycloak server will use this URI to make callbacks
> like pushing revocation policies, performing backchannel logout, and other
> administrative operations. For Keycloak servlet adapters, this can be the
> root URL of the servlet application. For more information see Securing
> Applications and Services Guide.
>
> It looks like Python OIDC library is not keycloak-specific, so Admin URL
> is NOT an option to set up backchannel logout.
>
> On Mon, Nov 11, 2019 at 9:41 PM mn(a)fstrk.io <mn(a)fstrk.io> wrote:
>
>> I would love to try it, but I am a Python guy and I am not sure how to
>> figure out Keycloak internals :) is there anyway you can point me to look
>> for the instructions on how to do it?
>>
>>
>>
>> 11.11.19 22:27, Leonid Rozenblyum пишет:
>>
>> Ok, I see.
>> But do you use Spring Security adapter in your application?
>> If yes, a workaround for KEYCLOAK-10266
>> <https://issues.jboss.org/browse/KEYCLOAK-10266> is possible even
>> before 8.0.0 release.
>>
>> On Mon, Nov 11, 2019 at 6:48 PM mn(a)fstrk.io <mn(a)fstrk.io> wrote:
>>
>>> I am using the Docker version, and 8.0.0 has not been released in
>>> Docker yet: https://hub.docker.com/r/jboss/keycloak/tags
>>>
>>> so I guess the only option for me is wait for the 8.0.0 Docker release
>>> then.
>>>
>>>
>>> 11.11.19 17:56, Leonid Rozenblyum пишет:
>>>
>>> Hi. What adapter are you using?
>>> Spring Security adapter had a bug which was recently fixed and the fix
>>> should be part of 8.0.0 https://issues.jboss.org/browse/KEYCLOAK-10266
>>>
>>> On Mon, Nov 11, 2019 at 6:14 AM mn(a)fstrk.io <mn(a)fstrk.io> wrote:
>>>
>>>> I created a client in Keycloak and set up a test admin URL
>>>> https://webhook.site/12c50381-0814-441a-82bb-1a68c8366a60 (this is a
>>>> webhook testing site).
>>>>
>>>> After that, I performed an OpenID login via this client, and then sent
>>>> a
>>>> logout request to Keycloak.
>>>>
>>>>
>>>> I did this a couple of times, and tried two ways of logging a user out:
>>>>
>>>> - redirecting to
>>>> http://.../auth/realms/myrealm/protocol/openid-connect/logout
>>>> <
>>>> http://127.0.0.1:8080/auth/realms/myrealm/protocol/openid-connect/logout
>>>> >
>>>>
>>>> - force logging out of the user via Keycloak admin interface:
>>>> http://prntscr.com/pv1v76
>>>>
>>>> The user indeed gets logged out. However, in both of these cases I
>>>> don't
>>>> see any requests coming out from Keycloak. The testing website shows
>>>> zero registered requests.
>>>>
>>>>
>>>> How do I make this work?
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Mikhail Novikov
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>> --
>>> Михаил Новиков
>>> Ведущий разработчикfstrk.io
>>>
>>>
>> --
>> Михаил Новиков
>> Ведущий разработчикfstrk.io
>>
>>
> --
> Михаил Новиков
> Ведущий разработчикfstrk.io
>
>
--
Михаил Новиков
Ведущий разработчикfstrk.io
2338
days inactive
2339
days old
3 comments
2 participants
participants (2)
-
Leonid Rozenblyum -
mn@fstrk.io