Bill,
I have found a workaround for my issue and will bring it up on the Errai site but just to
help if others hit this.
I found out that the redirect to Keycloak login did not go through after logout (ie
essentially let you stratight back into the app) because the jsessionid Cookie has been
set somewhere and not cleared on the methods that call logout. I haven't yet traced it
all the way through to find out where it is set so where it should be unset.
My workaround is to remove the Cookie after I logout from Keycloak and before I redirect
to a logged out page.
Because Errai is using GWT I can use :-
String sessionId = Cookies.getCookie("JSESSIONID");
if ( sessionId != null ) {
Cookies.setCookie("JSESSIONID", sessionId, new Date());
}
Regards, Graeme
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Bill Burke
Sent: Friday, 15 August 2014 11:08 PM
To: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] logout workflow
I really don't know anything about Errai. I don't know what
"KeycloakAuthenticationService" class is. There is not one in our codebase.
Logout requires a *browser* redirect back to the auth server's logout URL:
GET /realms/{name}/tokens/logout?redirect_uri={encodedURI}
Sounds like you are not doing this. What is probably happening is that you are
invalidating the session of your Web application, you are being redirected to Keycloak
because the web app has been logged out, keycloak sees that you are already logged in (via
the cookie the auth server sends), creates a new token, then redirects you back.
You can also make a background REST invocation to:
GET /realms/{name}/tokens/logout?session_state={session_state}
And this will logout the SSO session. This background REST API has been removed in master
though. In RC1, this background REST invocation requires you to authenticate by sending a
refresh token to logout the SSO session.
POST /realms/{name}/tokens/logout
Content-Type: application/x-www-formencoded-whatever
refresh_token=2341234h2134l1kj241234
Hope that helps. Other than that, dont' know much about Errai and really can't
help you.
On 8/15/2014 2:45 AM, Graeme Collis wrote:
I am writing an application that uses Errai and Keycloak.
I am able to login successfully and get all my user details and roles.
When I logout, I call the authenticationService to logout and then
redirect to login url.
The issue with this is then the login page is not shown, the filters
somehow pick up that the user is cached and re-authenticates with the
same user and comes straight back into the app.
When I logout the following is called:-
*public**void*logout() {
securityContext.invalidateCache();
authService.call( *new*RemoteCallback<Void>() {
@Override
*public**void*callback( Void response ) {
/redirect/( GWT./getHostPageBaseURL/() + "app-login");
}
}, *new*BusErrorCallback() {
@Override
*public**boolean*error( Message message, Throwable throwable ) {
Window./alert/( "Logout failed: "+ throwable );
*return**true*;
}
} ).logout();
}
Under the covers the logout calls the
KeycloakAthenticationService.logout(). Following through in debug all
this does is set the securityContext to null.
I added the invalidateCache as an attempt to clear the cache but that
did not work. I think I'm just not understanding the flow.
I have a GWT module page(/provider-ui.html) which is the only page of
the app.
I have a /app-login URL which is used by the filters to redirect to
Keycloak and redirect back to the GWT page after authentication.
My web.xml looks like this:-
<filter>
<filter-name>ErraiLoginRedirectFilter</filter-name>
<init-param>
<param-name>redirectLocation</param-name>
<param-value>/provider-ui.html</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ErraiLoginRedirectFilter</filter-name>
<url-pattern>/_app_-login</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>_ErraiUserCookieFilter_</filter-name>
<url-pattern>/provider-ui.html</url-pattern>
</filter-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Login</web-resource-name>
<url-pattern>/_app_-login</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>_demo_</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
<security-role>
<role-name>_admin_</role-name>
</security-role>
Any pointers of the direction I should take to solve this?
Thanks, Graeme
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user