3:41 p.m.
I was trying to understand the flow of a backchannel logout from my web
application.
I find the documentation confusing. The documentation for logging out (
https://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/java/logout.html
) says:
You can log out of a web application in multiple ways. For Java EE servlet
containers, you can call HttpServletRequest.logout(). For other browser
applications, you can redirect the browser to
http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logou...,
which logs you out if you have an SSO session with your browser.
The documentation for the Admin URL configuration (
https://www.keycloak.org/docs/3.4/securing_apps/#admin-url-configuration)
says:
For example the way backchannel logout works is:
1. User sends logout request from one application
2. The application sends logout request to Keycloak
3. The Keycloak server invalidates the user session
4. The Keycloak server then sends a backchannel request to application with
an admin url that are associated with the session
5. When an application receives the logout request it invalidates the
corresponding HTTP session
So from my understanding, either:
1. calling HttpServletRequest.logout() is supposed to magically send a
request to Keycloak (obviously not possible).
2. a GET to
http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logou...
should magically detect the clientId and send a request to the appropriate
backchannel (doesn't happen either).
I've tried sending the GET to the logout endpoint with an access_token, but
that doesn't make any difference either.
What am I misunderstanding from this documentation? How am I supposed to
code the logout?
Thanks,
Eric
4:52 a.m.
New subject: Confused about backchannel logout with a Java adapter
My understanding is:
From the view point of the Web-Application it would be sufficient to
call HttpServletRequest.logout(). But since this Web-Application is running within a SSO
environment it would be nice to also inform the SSO provider about the logout. The
provider will distribute this logout events to all registered clients, then.
So you have to do several things in your web-application:
1) provide some UI-interface for logout (e.g. a Logout Button)
2) this UI-Interface should call HttpServletRequest.logout() (to end the session in the
current web-application) and also signal the logout tot he SSO provider.
3) The web-application should handle incoming logout requests from the SSO-provider (user
has logged out within another application) by calling HttpServletRequest.logout() to end
the current session
The confusion might be that two different aspects of logout are mixed here: the logout of
the local session and the logout signalling of the SSO-session.
I hope I explained it correctly.
Regards,
Manfred
--
Manfred Schenk, Fraunhofer IOSB
Informationsmanagement und Leittechnik
Fraunhoferstraße 1,76131 Karlsruhe, Germany
Telefon +49 721 6091-391
mailto:Manfred.Schenk@iosb.fraunhofer.de
http://www.iosb.fraunhofer.de
-----Ursprüngliche Nachricht-----
Von: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
Im Auftrag von Eric B
Gesendet: Mittwoch, 2. Mai 2018 22:42
An: keycloak-user(a)lists.jboss.org
Betreff: [keycloak-user] Confused about backchannel logout with a Java adapter
I was trying to understand the flow of a backchannel logout from my web application.
I find the documentation confusing. The documentation for logging out (
https://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/java/logout.html
) says:
You can log out of a web application in multiple ways. For Java EE servlet containers, you
can call HttpServletRequest.logout(). For other browser applications, you can redirect the
browser to
http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logou...,
which logs you out if you have an SSO session with your browser.
The documentation for the Admin URL configuration (
https://www.keycloak.org/docs/3.4/securing_apps/#admin-url-configuration)
says:
For example the way backchannel logout works is:
1. User sends logout request from one application 2. The application sends logout request
to Keycloak 3. The Keycloak server invalidates the user session 4. The Keycloak server
then sends a backchannel request to application with an admin url that are associated with
the session 5. When an application receives the logout request it invalidates the
corresponding HTTP session
So from my understanding, either:
1. calling HttpServletRequest.logout() is supposed to magically send a
request to Keycloak (obviously not possible).
2. a GET to
http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logou...
should magically detect the clientId and send a request to the appropriate
backchannel (doesn't happen either).
I've tried sending the GET to the logout endpoint with an access_token, but that
doesn't make any difference either.
What am I misunderstanding from this documentation? How am I supposed to code the
logout?
Thanks,
Eric
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2441
days inactive
2443
days old
1 comments
2 participants
participants (2)
-
Eric B -
Schenk, Manfred