[keycloak-user] Log out server sessions when using bearer authentication

Stian Thorgersen sthorger at redhat.com
Tue Jan 3 02:51:37 EST 2017


Not really following what you are saying. Are you saying you want your REST
services to be stateful and use cookie based security rather than tokens?
Or the other way around?

On 3 January 2017 at 08:40, Dan Østerberg <dan at ren.no> wrote:

> Thanx for the reply. But wouldn’t that be a bit against the whole point
> with token based authentication? We’ve used Jasig CAS before, and thereby
> used internal server-only authentication + server session. That’s very
> similar to Keycloak used the way you describe – and limiting in several
> ways. If that was the only option, we would have stayed with CAS. Being
> stateless & having more control in the client is certainly beneficial in a
> client-heavy REST-based application, where the client accesses multiple
> webapps (within the same realm).
>
>
>
> I guess we’ll just have to implement some in-house solution then...
>
>
>
> ~Dan
>
>
>
> *Fra:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sendt:* mandag 2. januar 2017 15.16
> *Til:* Dan Østerberg <dan at ren.no>
> *Kopi:* keycloak-user at lists.jboss.org
> *Emne:* Re: [keycloak-user] Log out server sessions when using bearer
> authentication
>
>
>
> There's no standard way of doing backchannel logout with OAuth2. There's a
> draft spec for OpenID Connect that we may implement in the future.
>
>
>
> Keycloak has it's own proprietary backchannel logout, but that's only for
> applications that do the login. In your case as it's a JS app that obtains
> the tokens there's no backchannel logout involved and instead it relies on
> the session cookie + access token timeout. Assuming your JEE app is a rest
> service it should create a session that allows invoking without a access
> token from the JS app. That way it won't be possible for the JS app to
> invoke it once the session is logged out as it won't be able to obtain new
> access tokens.
>
>
>
> On 29 December 2016 at 11:27, Dan Østerberg <dan at ren.no> wrote:
>
> Hi,
>
> How can we make single sign out work when passing bearer tokens to a
> server guarded by a «traditional» session based Oauth2 client / adapter?
>
> Lets say we use bearer authentication via the Javascript adapter, and make
> REST requests to a stateless (no session) server. Lets further say that
> during some later request, a server session will be created – either
> intentionally to store state, or unintentionally e.g. by some shared code
> (since sessions are auto-created in Java EE). Now single sign out won’t
> work, because Keycloak is neither aware of the server session nor the
> Oauth2 client that has an admin URL.
>
> One solution could be to detect the creation of a session, and internally
> via an extended REST API tell the Keycloak server to create a session also
> for the client with admin URL (connecting it to the created session ID).
> But it just sounds as if this should be covered out-of-the-box, so maybe
> I’m just missing or misunderstanding something...
>
> ~Dan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>


More information about the keycloak-user mailing list