9:59 a.m.
Hey,
I use mod_auth_openidc version "2.1.2", Keycloak version “2.4.0”
I was not able to implement the session management using OP and RP frames
as described here:
https://github.com/pingidentity/mod_auth_openidc/wiki/Session-Management
I see in mod_auth_openidc logs the following:
[Wed Feb 01 14:12:54 2017] [debug] src/mod_auth_openidc.c(1556): [client
192.168.111.33] oidc_save_in_session: session management disabled:
session_state ((null)) and/or check_session_iframe (
https://localhost/auth/realms/realm/protocol/openid-connect/login-status-...)
is not provided, referer:
https://192.168.110.2/auth/realms/realm/protocol/openid-connect/auth?resp...
It looks like the session management is disabled because the Provider did
not return a session_state parameter in the authentication response (which
in its turn can be verified via the referer URL in the same log entry) as
the spec dictates:
https://openid.net/specs/openid-connect-session-1_0.html#CreatingUpdating...
How should I configure explicitly enable session management in Keycloak?
It should starts returning session_state in the authentication responses.
I see that it is implemented already
https://issues.jboss.org/browse/KEYCLOAK-451 but probably I miss something.
2:47 a.m.
There's some fixes to the RP iframe coming in 2.5.4 which will be out in a
week or two. There was an issue with it expecting a "session_state" value
that wasn't equal to the value from the tokens.
You can try building master if you'd like to try it out in advance.
On 1 February 2017 at 16:59, Known Michael <known.michael(a)gmail.com> wrote:
Hey,
I use mod_auth_openidc version "2.1.2", Keycloak version “2.4.0”
I was not able to implement the session management using OP and RP frames
as described here:
https://github.com/pingidentity/mod_auth_openidc/wiki/Session-Management
I see in mod_auth_openidc logs the following:
[Wed Feb 01 14:12:54 2017] [debug] src/mod_auth_openidc.c(1556): [client
192.168.111.33] oidc_save_in_session: session management disabled:
session_state ((null)) and/or check_session_iframe (
https://localhost/auth/realms/realm/protocol/openid-connect/
login-status-iframe.html)
is not provided, referer:
https://192.168.110.2/auth/realms/realm/protocol/openid-
connect/auth?response_type=code&scope=openid&client_id=
httpd_192.168.110.2&state=i1YQ39FbBLSCTRyIgEN-F9CdDH4&
redirect_uri=https%3A%2F%2F192.168.110.2%2Fprotected%
2Fredirect_uri&nonce=0VJ7AO-QBaxVaUBL9goen7muN4Oka1dP_1iPEQ43o-M
It looks like the session management is disabled because the Provider did
not return a session_state parameter in the authentication response (which
in its turn can be verified via the referer URL in the same log entry) as
the spec dictates:
https://openid.net/specs/openid-connect-session-1_0.
html#CreatingUpdatingSessions
How should I configure explicitly enable session management in Keycloak?
It should starts returning session_state in the authentication responses.
I see that it is implemented already
https://issues.jboss.org/browse/KEYCLOAK-451 but probably I miss
something.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2868
days inactive
2870
days old
1 comments
2 participants
participants (2)
-
Known Michael -
Stian Thorgersen