[keycloak-user] Admin url for bearer-only applications

Stian Thorgersen stian at redhat.com
Fri Sep 12 05:23:59 EDT 2014 

Bearer-only applications doesn't manage user sessions, they simply authenticate based on the token in the request. 

When a user logs out, the applications where a user has directly logged in to (confidential or public) should drop the user session. Confidential apps do this with the request from the server which will in turn invalidate the session in the app. Public apps (using keycloak.js) does this by detecting the logout from the session iframe.

You should obviously also have a short "Access Token Lifespan" configured for your realm, this makes sure that any tokens are quickly expired after a logout. As the user session is invalidated on the server, any associated refresh tokens will be expired as well, so it won't be possible for an app to retrieve a new token after the user has logged out.

----- Original Message -----
> From: "Alarik Myrin" <alarik at zwift.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 11 September, 2014 8:52:50 PM
> Subject: [keycloak-user] Admin url for bearer-only applications
> 
> I am not sure the Admin url is working for bearer-only applications, at least
> not on Wildfly.
> 
> I have set the admin url for my bearer-only applications just like I do for
> my confidential applications. In both cases (they are both war file
> deployments running in Wildfly 8.0.0 Final) it is the context-root of the
> war file. When I log out the sessions from the keycloak admin console, the
> confidential applications hear about the logout, and will respond with a
> redirect, but the bearer-only reply with the protected resource instead of
> responding with a 401 like I would expect.
> 
> Is anyone else having trouble with this? There are no bearer-only resources
> in the preconfigured-demo realm file to check against...
> 
> BTW, I just verified that this was happening with Keycloak 1.0-final.
> 
> Thanks,
> 
> Alarik
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list