[keycloak-user] Session Logout with Offline Access Token

Benjamin Zaitlen quasiben at gmail.com
Sat Apr 15 10:56:05 EDT 2017


Hi Marek,

Apologies for the delayed reply.  The examples work!  It turns out it was
an error with my how I was defining and encoding the the scope.  The
difference between


> scope=['openid', 'offline_access']

and

>scope='openid offline_access'

What was/is a problem?  was that first scope declaration was valid and an
access token was granted.

In any case, thank you again for helping me debug my error.

--Ben

On Wed, Mar 29, 2017 at 12:50 PM, Marek Posolda <mposolda at redhat.com> wrote:

> Do you have a chance to try the example I pointed and see if it works as
> expected?
>
> Marek
>
>
> On 29/03/17 21:13, Benjamin Zaitlen wrote:
>
> Hi Marek,
>
> Thanks for the response.  I am saving the token for APP2.  The behavior
> I'm observing is that after the SSO Logout, the offline token access is
> revoked, and the previously saved token is no longer value.  Perhaps I'm
> doing something incorrectly.  This is also on 2.5.X
>
> --Ben
>
> On Wed, Mar 29, 2017 at 1:28 PM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> On 29/03/17 13:43, Benjamin Zaitlen wrote:
>>
>>> Any thoughts on this?
>>>
>>> --Ben
>>>
>>> On Fri, Mar 24, 2017 at 5:20 PM, Benjamin Zaitlen <quasiben at gmail.com>
>>> wrote:
>>>
>>> Hi All,
>>>>
>>>> I'm having some trouble with sessions, clients, and offline access
>>>> tokens.  Let's say I have a client (APP 1) and I've logged in with
>>>> OIDC.  I
>>>> now have a refresh_token and session for APP 1. Using the auth code
>>>> flow I
>>>> can generate an offline_access token (refresh_token) for a second
>>>> client:
>>>> APP 2.   When I look in *realms/myrealm/account/sessions, *I see one
>>>> session but two clients.  At first I thought, great!  I was able to get
>>>> the
>>>> auth code flow working and I generated a refresh token for a second
>>>> client.
>>>>
>>>> But then disaster set in, when I logged out of the APP 1 client with the
>>>> URL: *protocol/openid-connect/logout.* I was logged out the session
>>>> which
>>>> included the* second client* and thus the offline access token for APP 2
>>>> was effectively revoked.
>>>>
>>>> I've seen a handful of JIRAs related to offline access tokens and
>>>> logouts
>>>> but I think they don't quite cover this usecase. I have two questions:
>>>>
>>>> 1. Is it possible, using the auth code flow, to generate a refresh token
>>>> in separate session. That is can APP 1 generate an offline_access token
>>>> for
>>>> APP 2 in a separate session without re-authenticating?
>>>>
>>> Once you logged to your APP 2, you have both online session, which is
>> part of SSO login (hence you are able to browse APP 2 with your browser)
>> and offline session. After login to APP 2, you need to somehow save your
>> offline token for later use, which is responsibility of your APP 2.
>>
>> SSO logout will clear your browser session, but offline token will be
>> still valid and can be used for further refreshes. Offline token will also
>> survive server restart.
>>
>> You can take a look at the example in the keycloak-examples distribution
>> under "preconfigured-demo/offline-access-app" , which also does logout
>> of browser session (or server restart), but offline token is still valid.
>>
>>>
>>>> 2. Can I logout a specific client for a session by passing additional
>>>> parameters in the logout URL ?
>>>>
>>> Nope, Logout is always global SSO logout as it clears the userSession on
>> the Keycloak side. Assume that when the "global" userSession is not
>> cleared, then the single logged-out client will be still always able to
>> login anytime due to SSO session, hence logout would be a bit pointless
>> though?
>>
>> Marek
>>
>>>
>>>> Thanks,
>>>> --Ben
>>>>
>>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>
>


More information about the keycloak-user mailing list