[keycloak-user] Issue with logout.

Satyajit Das satyajit.das at spire2grow.com
Wed Feb 24 06:45:42 EST 2016 

Hi Marek,

We cant have access token so short lived because users can login and do
operations and can stay logged in for some time.

What we are relying is that once the logout url is called using refresh
token id. The user when tries to access a webservice using the token should
not be allowed to as the logout service has been called.

But the user can get the data, using the old token. Any suggesstion how to
stop this behaiviour.

Regards,
Satya.



On Wed, Feb 24, 2016 at 4:39 PM, Marek Posolda <mposolda at redhat.com> wrote:

> On 24/02/16 10:58, Satyajit Das wrote:
>
> Hi Team we are facing the below issue with logout.
>
> i use login/logout restful service:
>
> after login
> i get tokenid say "t1" and refreshtokenid say "rt1"
>
> 1) We have registered a webservice as a keycloak client (example demo123)
> with access type as bearer.
> 2) When I call the logout rest service:
>
> if (isPublic()) { // if client is public access type formparams.add(new
> BasicNameValuePair(OAuth2Constants.CLIENT_ID, "demo123")); }
>
> URI logoutUri = KeycloakUriBuilder.fromUri(getBaseUrl(request) + "/auth")
> .path(ServiceUrlConstants.TOKEN_SERVICE_LOGOUT_PATH) .build("RealmName");
>
> the logout gives 204 for client's access type as open.
>
> but when i again hit the service with the token id "t1" after logout.
> Still i can get the response. *Note this response doesnt hit keycloak*.
>
> Yes, it works this way and that's why we suggest to use short lifetimes
> for accessToken (1 minute). This means that access token needs to be
> refreshed every 1 minute and the request for refreshing token actually
> needs to hit Keycloak server (in your case, refresh won't success because
> you already did logout).
>
> Marek
>
>
> Regards,
> Satya
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160224/2ba47fc9/attachment-0001.html

More information about the keycloak-user mailing list