[keycloak-user] Http Session is not invalidated

Chen Keong Yap chenkeong.yap at izeno.com
Mon Apr 6 06:47:43 EDT 2015


Hi bill,

Global logout only removed sp sessions but not web application sessions and
this created security loopholes.

Please advise

On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap <chenkeong.yap at izeno.com>
wrote:

> Guys,
>
> Can share your ideas why global logout is not working?
> On Apr 3, 2015 3:47 PM, "Chen Keong Yap" <chenkeong.yap at izeno.com> wrote:
>
>> Hi Marek,
>>
>> I've just tested backchannel logout and it's showing same issue. Both
>> applications are using PL SP Filter and the steps below are used for
>> testing.
>>
>> 1. Open https://localhost:8443/employee/ and http request is redirected
>> to https://localhost:8443/auth/realms/saml-demo-1/protocol/saml
>>
>> 2. Enter username and password into keycloak login page and redirected to
>> employee landing page
>>
>> 3. Open https://localhost:8443/sales-post/ and redirected to sales-post
>> landing page without login
>>
>> 4. Logon to keycloak admin console and noticed there are 2 active sessions
>>
>> 5. Perform global logout from employee landing page (
>> https://localhost:8443/employee/?GLO=true) and http request is
>> redirected to
>> https://localhost:8443/auth/realms/saml-demo-1/protocol/saml
>>
>> 6. Logon to keycloak admin console and noticed all sessions are gone
>>
>> 7. Refresh sales-post landing page and it's not redirected to keycloak
>> login page. sales-post session still active.
>>
>> Kindly advise why GLO is performed but the second application
>> (sales-post) session still active?
>>
>> On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda <mposolda at redhat.com>
>> wrote:
>>
>>>  Switch the "Front channel logout" to off. In this case it should use
>>> backchannel (not redirecting through browser, but sending logout requests
>>> from Keycloak in background)
>>>
>>> Marek
>>>
>>>
>>>
>>> On 3.4.2015 08:28, Chen Keong Yap wrote:
>>>
>>>
>>>  Hi Merek,
>>>
>>>  I've tried frontChannel logout in 1.2.0.Beta1 and it's giving me the
>>> same issues, please refer to the settings shown in the screen shot.
>>>
>>>  Can you please advise how to test  backchannel logout?
>>>
>>>
>>>  [image: Inline image 1]
>>>
>>>
>>>
>>> On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda <mposolda at redhat.com>
>>> wrote:
>>>
>>>>  I would try to upgrade to latest 1.2.0.Beta1 as it has some related
>>>> fixes AFAIK.
>>>>
>>>> In this version, you have also possibility to setup either frontChannel
>>>> logout or backchannel logout for the application. It could be set in
>>>> Keycloak admin console. I think that at least one of them will work with SP
>>>> filter in latest version (if not both).
>>>>
>>>> Marek
>>>>
>>>>
>>>> On 3.4.2015 01:44, Chen Keong Yap wrote:
>>>>
>>>>   Hi,
>>>>
>>>>  I've 2 applications installed with Picketlink SPFilter to
>>>> authenticate with keycloak 1.1.0 beta 2.
>>>>
>>>>  When i perform global logout, first application was logged out
>>>> successfully because SP/keycloak session and application http session are
>>>> removed but the problem is second
>>>> application SP/keycloak session is removed but application http session
>>>> is still remained. I've set admin url for these 2 applications in keycloak
>>>> admin console. Kindly share your ideas.
>>>>
>>>>
>>>>
>>>>  _______________________________________________
>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150406/5613e8ad/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 71582 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150406/5613e8ad/attachment-0001.png 


More information about the keycloak-user mailing list