[keycloak-user] Http Session is not invalidated
Bill Burke
bburke at redhat.com
Mon Apr 6 09:56:30 EDT 2015
I tried out the saml demo app and logout works just fine, so I'm
guessing this is a bug in the PL SP Filter.
On 4/6/2015 6:47 AM, Chen Keong Yap wrote:
> Hi bill,
>
> Global logout only removed sp sessions but not web application sessions
> and this created security loopholes.
>
> Please advise
>
> On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap <chenkeong.yap at izeno.com
> <mailto:chenkeong.yap at izeno.com>> wrote:
>
> Guys,
>
> Can share your ideas why global logout is not working?
>
> On Apr 3, 2015 3:47 PM, "Chen Keong Yap" <chenkeong.yap at izeno.com
> <mailto:chenkeong.yap at izeno.com>> wrote:
>
> Hi Marek,
>
> I've just tested backchannel logout and it's showing same issue.
> Both applications are using PL SP Filter and the steps below are
> used for testing.
>
> 1. Open https://localhost:8443/employee/ and http request is
> redirected to
> https://localhost:8443/auth/realms/saml-demo-1/protocol/saml
>
> 2. Enter username and password into keycloak login page and
> redirected to employee landing page
>
> 3. Open https://localhost:8443/sales-post/ and redirected to
> sales-post landing page without login
>
> 4. Logon to keycloak admin console and noticed there are 2
> active sessions
>
> 5. Perform global logout from employee landing page
> (https://localhost:8443/employee/?GLO=true) and http request is
> redirected to
> https://localhost:8443/auth/realms/saml-demo-1/protocol/saml
>
> 6. Logon to keycloak admin console and noticed all sessions are gone
>
> 7. Refresh sales-post landing page and it's not redirected to
> keycloak login page. sales-post session still active.
>
> Kindly advise why GLO is performed but the second application
> (sales-post) session still active?
>
> On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda
> <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>
> Switch the "Front channel logout" to off. In this case it
> should use backchannel (not redirecting through browser, but
> sending logout requests from Keycloak in background)
>
> Marek
>
>
>
> On 3.4.2015 08:28, Chen Keong Yap wrote:
>>
>> Hi Merek,
>>
>> I've tried frontChannel logout in 1.2.0.Beta1 and it's
>> giving me the same issues, please refer to the settings
>> shown in the screen shot.
>>
>> Can you please advise how to test backchannel logout?
>>
>>
>> Inline image 1
>>
>>
>>
>> On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda
>> <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>>
>> I would try to upgrade to latest 1.2.0.Beta1 as it has
>> some related fixes AFAIK.
>>
>> In this version, you have also possibility to setup
>> either frontChannel logout or backchannel logout for
>> the application. It could be set in Keycloak admin
>> console. I think that at least one of them will work
>> with SP filter in latest version (if not both).
>>
>> Marek
>>
>>
>> On 3.4.2015 01:44, Chen Keong Yap wrote:
>>> Hi,
>>>
>>> I've 2 applications installed with Picketlink
>>> SPFilter to authenticate with keycloak 1.1.0 beta 2.
>>>
>>> When i perform global logout, first application was
>>> logged out successfully because SP/keycloak session
>>> and application http session are removed but the
>>> problem is second
>>> application SP/keycloak session is removed but
>>> application http session is still remained. I've set
>>> admin url for these 2 applications in keycloak admin
>>> console. Kindly share your ideas.
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>>
>>
>
>
>
>
>
>
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list