[keycloak-user] Having difficulty logging out in a 2 client scenario

Stian Thorgersen sthorger at redhat.com
Fri Nov 4 01:18:31 EDT 2016


Sounds like the Spring Security Adapter is services and not a web app? If
so it shouldn't deal with logins and logouts at all. It should be
configured as a bearer-only client.

On 1 November 2016 at 00:11, Chris Savory <chris.savory at edlogics.com> wrote:

> Our application has 2 clients:
> 1. A Confidential Client that uses the Spring Security Adapter
> 2. A Public Client that uses the JavaScript Adapter for an Angular SPA app.
>
> Everything between the two is working fine until I try to logout under
> certain conditions.
>
> Logout works fine if I first: deep link into a protected page in my app.
> The SpringSecurity adapter for client# 1 redirects me to Keycloak.
> Keycloack then logs me in and sends me back to my app where my token was
> issued for client #1.  If I logout under this scenario via the
> SpringSecurity adapter it works fine.
>
> In Scenario #2 I first hit an Angular page in my app.  Then I log in from
> the JS Adapter in client #2.  Then through a Rest call to my Spring App
> (which a Bearer token is passed) a java session is established on Tomcat.
> When I put some break points in the Keycloak Adapter classes I can see that
> the KeycloakToken only contains the token in this scenario, but not the
> refresh token.  I can also see that the token was issued for client #2.
> When I try to logout, the adapter sends a request to Keycloak with an empty
> refresh_token and keycloak returns a 400 error, thus nullifying the logout.
>
> I also tried another scenario where use the JS Adapter get the logout URL
> and logout directly to Keycloak via “window.location =
> keycloak.createLogoutUrl({ redirectUri: “/site-url”) }).  This actually
> logs out the user from all clients (which is what I want), but the problem
> here is on the next request to the Spring app I think there is still an
> HttpSession alive and I’m running into the check in
> SpringSecurityTokenStore.saveAccountInfo where it throws an exception
> because there is already an (old) token inside the SecurityContextHolder.
>
> Any advice on how to proceed from either of these two scenarios?
>
> --
> Christopher Savory
> Software Engineer | EdLogics
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list