[keycloak-user] Logout to the external IDP
Xiao Ma
xiao.ma at masergy.com
Sun Mar 20 10:58:30 EDT 2016
Hi,
I configured a OIDC identity provider by selecting the OpenID Connect
v1.0 identity
provider from the drop-down box on the top right corner of the identity
providers table in Keycloak's Admin Console. During the configuration
process, I also configure "Logout Url" for the IDP logout url.
When I try to logout to the external IDP, the browser is redirected to the
external IDP to perform the logout. I can see some URL as follows:
https://*keycloakdev.xxxxxxx.com <http://keycloakdev.xxxxxxx.com>*
/auth/realms/*Internal*/protocol/openid-connect/logout?*state=*
a4efbda0-8b98-4169-a369-59e92bc3fac5&*id_token_hint=*
eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjMDY0NWJmZC0yZDhlLTQ1MjQtOWQ5Mi05OGViMDk5MDgxMzUiLCJleHAiOjE0NTgxNDg1ODksIm5iZiI6MCwiaWF0IjoxNDU4MTQ4NTg4LCJpc3MiOiJodHRwczovL2tleWNsb2FrZGV2Lm1hc2VyZ3kuY29tL2F1dGgvcmVhbG1zL0ludGVybmFsIiwiYXVkIjoiZXh0ZXJuYWxfcmVhbG1fYWNjZXNzXzIiLCJzdWIiOiI2ZmNmMDMwMi1jNzE0LTRiZDUtYjdlZS02MjMyODU2YTBlZWUiLCJ0eXAiOiJJRCIsImF6cCI6ImV4dGVybmFsX3JlYWxtX2FjY2Vzc18yIiwic2Vzc2lvbl9zdGF0ZSI6ImY1MWM3MzFkLTJkZWItNGRhZi04YWM3LTQyZDdkYjc1Zjc5YyIsIm5hbWUiOiJYaWFvIE1hIiwicHJlZmVycmVkX3VzZXJuYW1lIjoieG1hIiwiZ2l2ZW5fbmFtZSI6IlhpYW8iLCJHUk9VUFNfRlJPTV9JTlRFUk5BTF9SRUFMTSI6WyIvTk9DIiwiL2xhbmRzY2FwZV9nZW5lcmFsX3VzZXIiXSwiZmFtaWx5X25hbWUiOiJNYSIsImVtYWlsIjoieGlhby5tYUBtYXNlcmd5LmNvbSJ9.BIneKvUpSPq4c32dV5JclWPjtbA0U55u8Pf_C7KDokNMMBKCERHnzIS8-9csBxh8NLJbB_PmApMY0raAz-YPOcwyvmsOJ23bSrDR3Oa2HZ5JEGzs9IVFyhzQXJuDBCBWcPZl-eNxnxdGkNJBd7Cx03iWsUVUE9NeJYPjeZ5s8rmDtaX38V6JywugWRby5rfSZDLpu7xoGj6a_ZSZEXUfktwCMHS0Jnz_1M778Bmka0TcD1bvIpuqVl4-YQf2P3UZWgxqFQoNDVegZUNuekqUQyJiuRjlQuhITg5tDYfy2DbhkqVsN2gR7mUp21WNx2S5pG5Hb9cXajIVGR6SmW4qKA
:
"keycloakdev.xxxxxxx.com" is where the externalIDP is located. "Internal"
is the name of the realm. The parameters "state" and "id_token_hint" are
appended to the endpoint logout URL automatically during the logout
process.
However, this process failed because I got "Session Not Active" error in
the UI. After some investigations, I found this "Session Not Active" error
seems to be related to the value of Realm Setting —> Tokens —> Access Token
Lifespan I configured. The default value is 5 minutes, if I trigger the
logout within 5 minutes, I can logout to the external IDP successfully. If
I do the logout after 5 minutes, I will get this ""Session Not Active"
error. Is this the expected behavior? Do I have to bump up the value
of "Access
Token Lifespan" to get a longer session for the logout purpose?
Thanks a lot for the help!
Xiao
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160320/4837b40b/attachment.html
More information about the keycloak-user
mailing list