[keycloak-user] Keycloak 2.3.0 Logout on multiple war's

[Marek Posolda]

On 13/12/16 09:26, Jeroen Koek wrote:
>   Hi,
>
> I have deployed multiple wars on jboss eap 6.4.
> The war's are running on different url's and are using the same keycloak client ('Athlon').
>
> If I'm logged in I'm able to navigate to the different applications and seemless start a java session; I see multiple JSESSIONID's.
>
> If I logout on one of the wars (session logout) I'm still able to access the other applications to my surprise; e.g. the SSO is not working.
>
> I have configured the admin url to the root of the applications server ("/") where I have one of the application running.
> However the adapter is not invalidating all other sessions (for the other applications); I can still navigate to one of the other applications  ("/app"  for instance).
>
> I have now created a for loop where I'm logging out all applications manually (/logout).
>
> My mind is telling me that I'm doing something completely wrong.
>
> Am I right?
Yes, seems that your mind is correct :)

It is supposed that every WAR will have it's own Keycloak client. Then 
single-sign-out will work as expected. Because for example when you have 
application "war1" on context "/war1" and "war2" on context "/war2", the 
Keycloak needs to be able to send single-sign-out request to both those 
URL. With all the WARs and single Keycloak client, this can't work. Take 
a look at our examples and especially the most basic "demo" example.

Marek
>
> Regards,
>
> Jeroen.
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user