[keycloak-user] Having difficulty logging out in a 2 client scenario

Chris Savory chris.savory at edlogics.com
Mon Oct 31 19:11:36 EDT 2016


Our application has 2 clients:
1. A Confidential Client that uses the Spring Security Adapter
2. A Public Client that uses the JavaScript Adapter for an Angular SPA app. 

Everything between the two is working fine until I try to logout under certain conditions. 

Logout works fine if I first: deep link into a protected page in my app.  The SpringSecurity adapter for client# 1 redirects me to Keycloak. Keycloack then logs me in and sends me back to my app where my token was issued for client #1.  If I logout under this scenario via the SpringSecurity adapter it works fine.

In Scenario #2 I first hit an Angular page in my app.  Then I log in from the JS Adapter in client #2.  Then through a Rest call to my Spring App (which a Bearer token is passed) a java session is established on Tomcat.  When I put some break points in the Keycloak Adapter classes I can see that the KeycloakToken only contains the token in this scenario, but not the refresh token.  I can also see that the token was issued for client #2.  When I try to logout, the adapter sends a request to Keycloak with an empty refresh_token and keycloak returns a 400 error, thus nullifying the logout. 

I also tried another scenario where use the JS Adapter get the logout URL and logout directly to Keycloak via “window.location = keycloak.createLogoutUrl({ redirectUri: “/site-url”) }).  This actually logs out the user from all clients (which is what I want), but the problem here is on the next request to the Spring app I think there is still an HttpSession alive and I’m running into the check in SpringSecurityTokenStore.saveAccountInfo where it throws an exception because there is already an (old) token inside the SecurityContextHolder.  

Any advice on how to proceed from either of these two scenarios? 

--
Christopher Savory
Software Engineer | EdLogics





More information about the keycloak-user mailing list