[keycloak-user] Logout to the external IDP

Thu Mar 31 10:30:49 EDT 2016

Thank you very much for the quick help, Bill!

Regards,
Xiao

On Wed, Mar 30, 2016 at 6:37 PM, Bill Burke <bburke at redhat.com> wrote:

> This is fixed in master and will be released with 1.9.2 in 1 or 2 weeks.
>
>
> On 3/21/2016 11:25 AM, Xiao Ma wrote:
>
> Thank you, Bill! I am wondering what is our rough estimate on when are
> going to release 1.9.2.Final.
>
> Best Regards,
> Xiao
>
> On Mon, Mar 21, 2016 at 10:26 AM, Bill Burke <bburke at redhat.com> wrote:
>
>> I think this is a bug.  We probably don't refresh the token that is
>> obtained by the "child" IDP.
>>
>> https://issues.jboss.org/browse/KEYCLOAK-2691
>>
>> On 3/20/2016 10:58 AM, Xiao Ma wrote:
>>
>> Hi,
>>
>> I configured a OIDC identity provider by selecting the OpenID Connect
>> v1.0 identity provider from the drop-down box on the top right corner of
>> the identity providers table in Keycloak's Admin Console. During the
>> configuration process, I also configure "Logout Url" for the IDP logout
>> url.
>>
>> When I try to logout to the external IDP, the browser is redirected to
>> the external IDP to perform the logout. I can see some URL as follows:
>>
>> https://*keycloakdev.xxxxxxx.com <http://keycloakdev.xxxxxxx.com>*
>> /auth/realms/*Internal*/protocol/openid-connect/logout?*state=*
>> a4efbda0-8b98-4169-a369-59e92bc3fac5&*id_token_hint=*eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjMDY0NWJmZC0yZDhlLTQ1MjQtOWQ5Mi05OGViMDk5MDgxMzUiLCJleHAiOjE0NTgxNDg1ODksIm5iZiI6MCwiaWF0IjoxNDU4MTQ4NTg4LCJpc3MiOiJodHRwczovL2tleWNsb2FrZGV2Lm1hc2VyZ3kuY29tL2F1dGgvcmVhbG1zL0ludGVybmFsIiwiYXVkIjoiZXh0ZXJuYWxfcmVhbG1fYWNjZXNzXzIiLCJzdWIiOiI2ZmNmMDMwMi1jNzE0LTRiZDUtYjdlZS02MjMyODU2YTBlZWUiLCJ0eXAiOiJJRCIsImF6cCI6ImV4dGVybmFsX3JlYWxtX2FjY2Vzc18yIiwic2Vzc2lvbl9zdGF0ZSI6ImY1MWM3MzFkLTJkZWItNGRhZi04YWM3LTQyZDdkYjc1Zjc5YyIsIm5hbWUiOiJYaWFvIE1hIiwicHJlZmVycmVkX3VzZXJuYW1lIjoieG1hIiwiZ2l2ZW5fbmFtZSI6IlhpYW8iLCJHUk9VUFNfRlJPTV9JTlRFUk5BTF9SRUFMTSI6WyIvTk9DIiwiL2xhbmRzY2FwZV9nZW5lcmFsX3VzZXIiXSwiZmFtaWx5X25hbWUiOiJNYSIsImVtYWlsIjoieGlhby5tYUBtYXNlcmd5LmNvbSJ9.BIneKvUpSPq4c32dV5JclWPjtbA0U55u8Pf_C7KDokNMMBKCERHnzIS8-9csBxh8NLJbB_PmApMY0!
>> raAz-YPO
>> cwyvmsOJ23bSrDR3Oa2HZ5JEGzs9IVFyhzQXJuDBCBWcPZl-eNxnxdGkNJBd7Cx03iWsUVUE9NeJYPjeZ5s8rmDtaX38V6JywugWRby5rfSZDLpu7xoGj6a_ZSZEXUfktwCMHS0Jnz_1M778Bmka0TcD1bvIpuqVl4-YQf2P3UZWgxqFQoNDVegZUNuekqUQyJiuRjlQuhITg5tDYfy2DbhkqVsN2gR7mUp21WNx2S5pG5Hb9cXajIVGR6SmW4qKA
>> :
>>
>> "keycloakdev.xxxxxxx.com" is where the externalIDP is located.
>> "Internal" is the name of the realm. The parameters "state" and
>> "id_token_hint" are appended to the endpoint logout URL automatically
>> during the logout process.
>>
>> However, this process failed because I got "Session Not Active" error in
>> the UI. After some investigations, I found this "Session Not Active" error
>> seems to be related to the value of Realm Setting —> Tokens —> Access
>> Token Lifespan I configured. The default value is 5 minutes, if I trigger
>> the logout within 5 minutes, I can logout to the external IDP successfully.
>> If I do the logout after 5 minutes, I will get this ""Session Not
>> Active" error. Is this the expected behavior?  Do I have to bump up the
>> value of "Access Token Lifespan" to get a longer session for the logout
>> purpose?
>>
>> Thanks a lot for the help!
>>
>> Xiao
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hathttp://bill.burkecentral.com
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hathttp://bill.burkecentral.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160331/edf3e4fe/attachment.html 