[keycloak-user] Logout session issues

Bill Burke bburke at redhat.com
Fri Nov 18 15:52:45 EST 2016 

in the community, we only support support the latest release.  A lot has 
changed since 1.9.3.  1.9.4-1.9.8 resolved a ton of tickets and there's 
been a lot of features and refactoring since last April.  You can get 
commercial support from Red Hat for 1.9.x via the RH-SSO product.  
RH-SSO 7.0 is based off of Keycloak 1.9.8.

As for your question, hopefully somebody else chimes in as I know 
nothing about the spring security integration.  What you may have not 
configured in the Keycloak admin console page is the admin endpoint.  
This is a proprietary endpoint that keycloak adapters expose to receive 
back-channel logout events.  If this URL is not set, then a backchannel 
logout request is not sent to the application.  I"m not sure if our 
spring adapter supports backchannel logout.

Not much help, but its the most I can offer at the moment.


On 11/17/16 11:08 AM, Haim Vana wrote:
> Hi,
>
> We are working on Keycloak 1.9.3 with spring security, and trying to implement backchannel logout (one application performs logout and the second application is not aware of it).
>
> We would appreciate if you kindly could advice regarding the below:
>
>
> 1.       What is the best practice to handle backchannel logout ? more specifically where and how the access token validation should be performed (how the second application should know that the first one performed the logout ?) ?
>
>
>
> 2.       We have noticed that Keycloak spring security filters (straight from documentation) don't try to authenticate the token after it revokes. What's the best practice to handle access token expiration ? is it implemented by keycloak or should we handle it in the server or client side ?
>
>
>
> 3.       getToken() method of RefreshableKeycloakSecurityContext does not fail if the token is expired,  is it on purpose ? if so should we handle it in our application code ?
>
>
> 4.       We have implemented the KeycloakOIDCFilter, but it doesn't empty the spring security authentication object (SecurityContextHolder.getContext().getAuthentication()) after logout, as a result the client 'thinks' it is still authenticated, what's the best practice to handle it ?
>
>
>
> Thanks,
> Haim.
> The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list