[keycloak-user] Logout session issues

Haim Vana haimv at perfectomobile.com
Thu Nov 17 11:08:58 EST 2016


We are working on Keycloak 1.9.3 with spring security, and trying to implement backchannel logout (one application performs logout and the second application is not aware of it).

We would appreciate if you kindly could advice regarding the below:

1.       What is the best practice to handle backchannel logout ? more specifically where and how the access token validation should be performed (how the second application should know that the first one performed the logout ?) ?

2.       We have noticed that Keycloak spring security filters (straight from documentation) don't try to authenticate the token after it revokes. What's the best practice to handle access token expiration ? is it implemented by keycloak or should we handle it in the server or client side ?

3.       getToken() method of RefreshableKeycloakSecurityContext does not fail if the token is expired,  is it on purpose ? if so should we handle it in our application code ?

4.       We have implemented the KeycloakOIDCFilter, but it doesn't empty the spring security authentication object (SecurityContextHolder.getContext().getAuthentication()) after logout, as a result the client 'thinks' it is still authenticated, what's the best practice to handle it ?

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

More information about the keycloak-user mailing list