[keycloak-user] Keycloak single sign on/out clarification

Michal Keda michal.keda at studentagency.cz
Tue Mar 21 09:38:12 EDT 2017 

Hi,

we are evaluating keycloak and I have one problem with getting single 
sign out working properly and one question about design of app+keycloak. 
The problem is following: I have two applications that are protected via 
keycloak that are based on keycloak quickstart vanilla-jee apps and 
deployed to tomcat. This should mimic our future use case, in which 
multiple applications on multiple servers should have SSO. If user logs 
into any of the sites (or keycloaks /auth/realms/realm/account page), he 
is logged to other two. BUT troubles come when users want to log out.

When user logs out from my app, he is logged out from keycloacks 
/auth/realms/realm/account page, but not from other application. If 
users logs out from /auth/realms/realm/account page, he is not logged 
out from any of my applications. It just seems, that if session in my 
application is established successfully, it no longers tries to check if 
users is logged in with keycloack server. Which seems quite 
"un"singlesingout-ish.

I am logging out like this:

   public void handleLogout(HttpServletRequest req) throws 
ServletException {
         if (req.getParameter("logout") != null) {
             req.logout();
         }
     }

Since single sign on is achieved basically just by changing 
<auth-method>KEYCLOAK</auth-method> in web.xml and automagic does 
everything else, I was excpecting single sign out to be similarly 
efortless. What I need to do to make it work?


My second question is regarding custom login form. Product owner simply 
denied that we will redirect users to keycloack login page during login 
process. I didn't found much information how to use existing login form 
with keycloak, but we came up with following solution. I just want to 
ask if it is reasonable approach. I created page 
"linksVisibleForLoggedInUsers.html" that is protected by keycloak in 
web.xml. I included this page into iframe instead of former log in form. 
So when unlogged users accesses index page, this iframe shows keycloak 
login form (which can be themed to mimic original log in form). User 
then can log into keycloak in iframe and it wors fine. My feeling is 
that altghough this works, it might not be optimal solution.


Best regards,

Michal Keda

More information about the keycloak-user mailing list