[keycloak-dev] OAuth2 revoke
Corinne Krych
corinnekrych at gmail.com
Thu Sep 25 10:19:51 EDT 2014
Thanks Marek
Indeed with a correct backend realm config [1], I have a Swift iOS helloworld type demo[2] with request/refresh/revoke tokens working just fine.
Next step, I want to share how to use oauth2 with KC and iOS with a blog post.
++
Corinne
[1] https://github.com/corinnekrych/aerogear-backend-cookbook/blob/master/ProductInventory/configuration/testrealm.json#L59
[2] https://github.com/aerogear/aerogear-ios-cookbook/tree/swift/ProductInventory
On 22 Sep 2014, at 11:01, Marek Posolda <mposolda at redhat.com> wrote:
> In this config, you specified product-inventory to be public OAuth client. In this case, you may delete this line:
> https://github.com/corinnekrych/aerogear-backend-cookbook/blob/master/ProductInventory/configuration/testrealm.json#L42
> because for public applications/oauth clients, you don't need secret at all.
>
> Also I think the exception with revocation is due to incorrect configuration of this application: https://github.com/corinnekrych/aerogear-backend-cookbook/blob/master/ProductInventory/configuration/testrealm.json#L64. Do you really have this application running and deployed on localhost:8081 ? If not, you can either delete this or update configurations.
>
> Also it might be good to update to Keycloak 1.0.1.Final as Stian added this fix: https://issues.jboss.org/browse/KEYCLOAK-682 which cause that logout is not send to all applications, but just to those when user is really logged into.
>
> Marek
>
>
>
> On 22.9.2014 10:28, Corinne Krych wrote:
>> Yep indeed i think it’s an error of configuration but not sure which one i should change. In my use case it’s a oauth2 client app. whe re should I specify the URL redirect for logout?
>> See my config file here:
>> https://github.com/corinnekrych/aerogear-backend-cookbook/blob/master/ProductInventory/configuration/testrealm.json#L39
>>
>> do I need to define a product-inventory app? or a simple oauth2 client is enough?
>>
>> Best Regards,
>> Corinne
>> On 22 Sep 2014, at 09:44, Marek Posolda <mposolda at redhat.com> wrote:
>>
>>> Hi,
>>>
>>> there is exception in the log like:
>>>
>>> Caused by: org.apache.http.conn.HttpHostConnectException: Connection to http://localhost:8081 refused
>>>
>>> isn't it possible that adminURL for some of your applications is not configured correctly (like there is localhost:8081 instead of localhost:8080)?
>>>
>>> Btv. I've created JIRA https://issues.jboss.org/browse/KEYCLOAK-709 as currently it seems that if ResourceAdminManager.logoutUser wants to call logout to more applications (like app1 and app2) and logout to app1 fails, then RuntimeException is thrown and logout to app2 is not called at all, which doesn't seem to be correct behaviour to me.
>>>
>>> Marek
>>>
>>>
>>> On 20.9.2014 17:48, Corinne Krych wrote:
>>>> Hello
>>>>
>>>> Trying to implement AGIOS-206 [1] linked to [2], what iI need is a revoke of all tokens (refresh and access token).
>>>>
>>>> I've tried ‘logout’ with a refresh token this endpoint:
>>>> http://docs.jboss.org/keycloak/docs/1.0.1.Final/rest-api/realms/%7Brealm%7D/tokens/logout/index.html#POST
>>>> for a public client.
>>>> I run appliance 1.0-final distribution of key cloak.
>>>>
>>>> But I run into this exception [3] after a timeout. Anything else I can try or should I just wait for revoke feature to be implemented in Keycloak?
>>>>
>>>> ++
>>>> Corinne
>>>>
>>>> [1] https://issues.jboss.org/browse/AGIOS-206
>>>> [2] https://issues.jboss.org/browse/KEYCLOAK-312
>>>> [3] https://gist.github.com/corinnekrych/53bd73c4e047281a94f1
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list