Hey all, While implementing a Keycloak based secure application set (3 internal web applications) with Spring-Security, I’ve come upon some details that I can’t seem to find an adequate answer to. Our environment and implementations: The security layer is implemented on the front-end only (for now). JBoss EAP 6.4, JSF 2.1 Mojarra with RichFaces 4, Spring 3.2.18, Spring-security 3.2.10, Keycloak-spring-security-adapter 3.4.1 (same as the Keycloak server being used). What we’ve got working: 2 applications with SSL and SSO. Both redirect to the Keycloak login page. When we log in to app1 we’re also logged in in app2, so that’s good. What we want but can’t seem to achieve: · Log out of app1 --> refresh of app2 should redirect to the Keycloak login page. At this point it seems that the user credentials remain active as long as the browser session remains active. · After successful login from the Keycloak login page always redirect to the application welcome page (index.xhtml for instance). Use case: A user is working in one of our secured applications, has its browser session ended and clicks on some kind of link. The application correctly redirects this user to the Keycloak login page. The user correctly logs in and gets taken back to where he/she was. However, when this is an AJAX kind-of request the user sees plain XML when taken back the application. To avoid this I would like to always redirect to the welcome page of the application when the user logs in through the Keycloak login page. I can’t seem to find a way to do this. · Logout doesn’t always work well. Sometimes the Spring AntPathRequestMatcher doesn’t correctly match our logout pattern (/sso/logout**). Therefore we’ve provided an alternative that we’ve found in the documentation in the form of: “https://<keycloak-url-with-port>/auth/realms/<realmName>/protocol/openid-connect/logout?redirect_uri=<Application-base-URL> However this doesn’t always work either. There are situations, depending on invalid rights for certain application parts where this never logs out a user. We’ve got a Spring-security application context in XML that is roughly the same as the one found in the documentation. And a keycloak.json file that looks like this: { "realm": "<realmName>", "auth-server-url": "<keycloak-url-with-port>/auth", "ssl-required": "all", "truststore": "<working-truststore>", "truststore-password":"<a-working-pwd>", "resource": "<App1-name>", "public-client": true, "always-refresh-token": true } Due to the large number of Keycloak releases and accompanied configuration changes it’s really hard for us to find relevant information. When we first started by creating a POC we used the most recent Keycloak version (3.4.1-Final). A lot of information that is not old appears to be outdated. Just an observation. Thanks for reading. Klik hier<https://www.hvw.fgov.be/nl/mail-disclaimer> voor onze disclaimer Cliquez ici<https://www.hvw.fgov.be/fr/mail-disclaimer> pour notre disclaimer Klicken Sie hier<https://www.hvw.fgov.be/de/mail-disclaimer> für unseren Disclaimer